View Full Version : Afftected with Smitfraud-C and LockSky.Nag
sanjuv999
2007-07-06, 09:09
Hi,
I am infected with Smitfraud-c and Locksky.Nag according to Spybot.I have wasted 2 days on trying to solve this.Someone please help me.Now when I shutdown my system it shows an exception that it can't read a particular memory.I have Windows XP Sp2,ZoneAlarm 7.0,XoftSpySe 4.31,Avast Antivirus 4.7
================
The startup of spybot1.4 (updated to the latest definition) is full of "instcat.dll","c:\windows\system32\mljgh.dll","pmnmkkh.dll" and some other.THe BrowserHelpObjects of Spybot shows "mljgh.dll" and "pmnmkkh.dll".
The ActiveX shows "c:\Windows\Downloaded Program Files\erma.inf" I wonder what is that...
================
The HJT log is posted below....
Logfile of HijackThis v1.99.1
Scan saved at 10:33:10 AM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\hkcmd.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
================
Zone-Alarm complains of "not-a-virus:Adware.Win32.Virtumonde.jp" which it is unable to repair
================
Norton 2007,Avast were useless...Even the claims made by XoftSpyse that it can remove "smitfraud-c" and "Locksky.Nag" were useless"
sanjuv999
2007-07-06, 12:34
Ok,I uninstalled ZoneAlarm,Norton 15 days trial 2007,Internet Explorer7,and its updates.Installed Opera 9,CCleaner.Ran CCleaner and removed whatever it reported.Renamed HJT to Scan.Now the log shows the dll's which were NOT being reported before.Even though I fix the files(shown below) in HJT in Safe Mode,it still returns...
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\pmnmkkh.dll
O2 - BHO: (no name) - {F8796942-7C16-49A7-96F3-9DB822E6443E} - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: pmnmkkh - C:\WINDOWS\SYSTEM32\pmnmkkh.dll
The above are the list of files that I checked to delete.But they still appear...
Heres the latest HJT log....
=====================================
Logfile of HijackThis v1.99.1
Scan saved at 2:40:26 PM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\scan.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\pmnmkkh.dll
O2 - BHO: (no name) - {F8796942-7C16-49A7-96F3-9DB822E6443E} - C:\WINDOWS\system32\mljgh.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: pmnmkkh - C:\WINDOWS\SYSTEM32\pmnmkkh.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)
sanjuv999
2007-07-06, 13:53
I ran ComboFix.Now Spybot does not detetct Smitfraud-c,etc during scan.Instead at "System Startup" of Spybot,I ALWAYS get these
"instcat.dll","c:\windows\system\32\mljgh.dll",etc and they are unchecked!!!
Even if I delete them,they still reappear.
------------------------------------------------------------------------
"VSINE0003" - 2007-07-06 15:14:19 - ComboFix 07-07-04.4 - Service Pack 2
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\adktunwp.dll
C:\WINDOWS\system32\hlivybgm.dll
C:\WINDOWS\system32\mgbyvilh.ini
C:\WINDOWS\system32\hgjlm.bak1
C:\WINDOWS\system32\hgjlm.bak2
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\hgjlm.bak1
C:\WINDOWS\system32\hgjlm.bak2
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\pmnmkkh.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\TEMP
C:\Program Files\Common Files\{78D80~1
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_ASC3550U
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_DOMAINSERVICE
-------\asc3550u
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))
2007-07-06 15:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-06 14:06 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\Opera
2007-07-06 14:05 <DIR> d-------- C:\Program Files\Opera
2007-07-06 13:48 <DIR> d-------- C:\!KillBox
2007-07-06 12:38 <DIR> d-------- C:\Program Files\CCleaner
2007-07-06 12:35 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2007-07-06 09:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MailFrontier
2007-07-06 03:09 <DIR> d-------- C:\Program Files\XoftSpySE
2007-07-05 22:15 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-05 22:15 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-05 22:15 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-05 22:15 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-05 22:15 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-05 22:15 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-05 22:15 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-05 22:14 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-05 15:36 512 --a------ C:\ScanSectorLog.dat
2007-07-05 15:25 39,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-05 15:25 1,458,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-05 14:14 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-07-05 14:14 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-04 16:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-04 11:28 <DIR> d-------- C:\Program Files\BitComet
2007-07-04 09:42 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-02 17:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-29 12:58 <DIR> d-------- C:\WINDOWS\pss
2007-06-28 15:04 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-06-28 15:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-06-26 18:33 <DIR> d-------- C:\WINDOWS\PrimoPDF
2007-06-26 18:33 <DIR> d-------- C:\Program Files\activePDF
2007-06-26 16:44 <DIR> d-------- C:\Program Files\EMS
2007-06-26 10:42 <DIR> d-------- C:\Program Files\SQLyog Community
2007-06-26 10:42 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\SQLyog
2007-06-25 17:00 <DIR> d-------- C:\Program Files\Intelligent Converters
2007-06-25 16:29 <DIR> d-------- C:\Program Files\MySQL Query Analyzer
2007-06-25 14:24 1,952 --a------ C:\WINDOWS\Sysvm32.dll
2007-06-25 10:56 <DIR> d-------- C:\Program Files\MySQL
2007-06-21 00:37 <DIR> d-------- C:\zip
2007-06-21 00:33 <DIR> d-------- C:\unzip
2007-06-20 23:47 <DIR> d-------- C:\xpdf-3.02-win32
2007-06-20 23:32 <DIR> d-------- C:\antiword
2007-06-20 20:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-06-20 18:00 <DIR> d-------- C:\xampp-win32-1.5.1
2007-06-18 14:19 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\MySQL
2007-06-15 16:32 <DIR> d-------- C:\Program Files\Zards software
2007-06-08 16:09 796,672 --a------ C:\WINDOWS\GPInstall.exe
2007-06-08 15:51 <DIR> d-------- C:\WINDOWS\Paltalk Messenger
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-06 04:51:40 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-05 13:52:21 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Windows NT
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Movie Maker
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Messenger
2007-06-29 06:18:21 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-06-26 05:54:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-01 10:46:22 152,064 ----a-w C:\WINDOWS\system32\isys32.exe
2007-05-30 11:53:40 -------- d-----w C:\Program Files\Common Files\Merge Modules
2007-05-30 11:44:34 -------- d-----w C:\Program Files\Microsoft Visual Studio .NET 2003
2007-05-30 11:16:48 -------- d-----w C:\Program Files\HTML Help Workshop
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-07 05:15:52 -------- d-----w C:\Program Files\Common Files\Vbox
2007-05-07 05:15:06 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-07 05:10:11 -------- d-----w C:\Program Files\Common Files\Macromedia Shared
2007-05-04 15:46:09 0 ----a-w C:\WINDOWS\nsreg.dat
2007-05-04 12:54:39 1,920 ----a-w C:\WINDOWS\system32\tmp.reg
2007-05-04 05:56:11 138 ----a-w C:\WINDOWS\system32\winser.bin
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi(2).dll
2007-04-16 17:17:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 17:15:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 17:15:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 17:15:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 17:15:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 17:15:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 17:15:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 17:15:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 11:09 C:\WINDOWS\SOUNDMAN.EXE]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-06 18:52]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 21:12]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:30]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-05-10 16:31]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{65A63651-8AFB-4A2B-AC75-CB4C68B0DDB0}"="C:\Program Files\Common Files\System\mshexthk.dll" [2002-08-13 15:51]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\svchen.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cee442-f15a-11db-ac14-001485fc561f}]
Auto\command- E:\MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06f7df5e-dde5-11db-ac09-001485fc561f}]
1\Command- E:\.\RECYCLER\RECYCLER\autorun.exe
2\Command- E:\.\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe
Contents of the 'Scheduled Tasks' folder
2007-07-05 21:39:28 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-05 21:39:28 C:\WINDOWS\tasks\XoftSpySE.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 15:27:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mysql]
"ImagePath"="C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt --defaults-file=C:\xampp-win32-1.5.1\xampp\mysql\bin\my.cnf mysql"
Completion time: 2007-07-06 15:29:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-06 15:29
--- E O F ---
==========================================================
HJT Log starts here
=====================================================
Logfile of HijackThis v1.99.1
Scan saved at 16:11, on 2007-07-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\scan.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)
sanjuv999
2007-07-07, 09:24
Waiting for your suggestion
pskelley
2007-07-07, 14:17
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.
Waiting for your suggestion
I suggest you start be reading the directions posted above which is also posted at the top of the forum. If you still have malware issues, please do this:
1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
2) I need to know what this file is: C:\WINDOWS\system32\svchen.dll
Use one or more of these free online scanners to find out and post the results:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
You will probably have to enabled hidden files and folders to see the file:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
3) Please tell me what your malware problems are. If you receive error messages, post those word for word.
4) Post a new HJT log, the information I requested and nothing else unless you have comments that will help.
Thanks
sanjuv999
2007-07-09, 07:52
Hi,
I have read the instructions for posting.I have created the folder HJT in "C:\" with the file "HijackThis.exe" in that folder.Well,after enabling the Hidden files and folder,I am unable to find the "svchen.dll"!!!.
Ok,my problem was that I had "Smitfraud-c" and "Locksky.Nag".But after following the post by other users,the "Smitfraud-c" and "Locksky.Nag" no longer appear in the Spybot manual scan.But now in Spybot->Tools->System start-up,I get a set of weird stuff's as start-up's in the "System.ini" key.I mean weird because they are not in English,they are in some vertical lines with "@" character folllowed by "8".In addition to that,they also contain the files "instcat.dll" and "pmnmkkh.dll" and "C:\Windows\System32\mljgh.dll".
There is also a "WgaLogon" with No commandline value.All the above said entries are in bold.Here's the catch,the above said entries are "unchecked" in the "System start-up" of "Spytbot" and are present in "System.ini".Now even if I delete these unchecked values,they still reappear in the Start-up of Spybot in System.ini as unchecked values!!!.If you need a bitmap of what I am saying I will be glad to do so.
However I have posted a new HJT log and a Kaspersky online scan log.Note the Kaspersky log..it contains something helpful.
=============================================================
Logfile of HijackThis v1.99.1
Scan saved at 09:42, on 2007-07-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)
==================================================
Kaspersky online scanner log
---------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-07-09 08:58
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 6/07/2007
Kaspersky Anti-Virus database records: 358938
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
V:\
Scan Statistics:
Total number of scanned objects: 203289
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 04:21:53
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_5b9da10f-f644-4869-bdec-e4cb5daab1c5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\704aa8cd95d47ee56588259239842af6_5b9da10f-f644-4869-bdec-e4cb5daab1c5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\db5ded2d438f52841c9522b30cdd83f9_5b9da10f-f644-4869-bdec-e4cb5daab1c5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7fc.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Simple user interface.txt Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_366.trc Object is locked skipped
C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip/Share.exe Infected: not-a-virus:Client-P2P.Win32.Share.a skipped
C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnmkkh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SLEvtLog.evt Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_1e4.dat Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_584.dat Object is locked skipped
C:\WINDOWS\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\access.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\error.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\ssl_request.log Object is locked skipped
Scan process completed.
pskelley
2007-07-09, 15:43
Thanks for the information and the feedback, google knows nothing about this item:
http://www.google.com/search?hl=en&q=svchen.dll&btnG=Google+Search and I can't search it from here, so we will delete it.
The files you mention with the stange .dll's, If you recently removed Vundo without Vundofix, this is a good possiblity. We will run combofix, it is good about picking up leftover Vundo.
It may also remove this item: O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll but try this first:
How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\svchen.dll or copy/paste it to the tool and click on it once, and then click on the Open button. You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
KASPERSKY ONLINE SCANNER REPORT 2007-07-09 08:58
C:\QooBox\Quarantine\ <<< please delete that folder in red and any other combofix you have on your computer. I wish to run it again, but I want a new download.
I would delete these infected files and read the information in the link:
C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip/Share.exe Infected: not-a-virus:Client-P2P.Win32.Share.a skipped
C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip ZIP: infected - 1 skipped
http://forums.spybot.info/showthread.php?t=282 <<< see this
Spybot: would you check to make sure your version of Spybot is totally up tp date an fully immunized. Then run a scan and let me know what it finds that it can not remove. I may need to see the scan report, I will let you know once I get feedback from you.
I would also appreciate it if you would open the "Recovery" folder and delete the contents.
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HijackThis log.
add any information I requested and any comments you think will help.
Thanks
sanjuv999
2007-07-11, 07:03
Hi
I did run VundoFix at the early stages of the post to see if it would fix the affected files.But after the scan,no such files were reported by the tool.
I deleted
1)C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip/Share.exe Infected: not-a-virus:Client-P2P.Win32.Share.a skipped
2)C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip ZIP: infected - 1 skipped
3)C:\QooBox\Quarantine\
4)ComboFix files
Now coming to HJT,I gave the file "C:\WINDOWS\SYSTEM32\svchen.dll" delete on reboot,but to no avail.It has come back in the fresh HJT log.
I ran ComboFix.exe.I installed IE7.0 and it's updates and uninstalled Opera 9 as Kaspersky depends on IE6 and above.I then installed Kaspersky ActiveX and updates and ran a fresh online scan.Spybot(V1.4) is totally up-to-date(new updates) and is fully immunized.It is a ritual for me to keep it that way every day.This time strangely Spybot has detected something.I have posted the ComboFix log,HJT log,Kaspersky log,BitDefender Online scan results and
the Spybot log(unchecked "Include uninstall list in report","Include list of services in report",checked "Do not report disabled or known legitimate
items").Do you want a bitmap of my startup in Spybot so that you can see the strange dll's?Here's another trivial point,my time is being displayed in a 24hr format instead of AM/PM.Also my system started getting infected only when a new network was attached to my network.
Avast Antivirus suddenly gave a Message Box saying that it found a malware "Win32:Adware-gen. [Adw]" in my temporary folder.I deleted it.By the way I ran a Trend Micro Online Scan it showed up with malware..ADWARE_MEMWATCHER(94 infections) and TSPY_SMALL(13 infections).Checkout the Spybot log,it contains the weird characters in System.ini.Awaiting your reply eagerly...
==============
Kaspersky Log
==============
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-07-11 08:53
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/07/2007
Kaspersky Anti-Virus database records: 360525
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
V:\
Scan Statistics:
Total number of scanned objects: 309637
Number of viruses found: 1
Number of infected objects: 5 / 0
Number of suspicious objects: 0
Duration of the scan process: 04:37:04
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_5b9da10f-f644-4869-bdec-e4cb5daab1c5
Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\704aa8cd95d47ee56588259239842af6_5b9da10f-f644-4869-bdec-e4cb5daab1c5
Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\db5ded2d438f52841c9522b30cdd83f9_5b9da10f-f644-4869-bdec-e4cb5daab1c5
Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7b4.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\History\History.IE5\MSHist012007071020070711\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Temp\~DF153B.tmp Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_371.trc Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP12\change.log Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{16924332-E0C1-4D6F-8189-6B8B5F3655D7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SLEvtLog.evt Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_580.dat Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_7e0.dat Object is locked skipped
C:\WINDOWS\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\access.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\error.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\ssl_request.log Object is locked skipped
V:\Helpdesk\SysAidServerFree.exe/file0030/data0007 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe/file0030 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe/file0032/data0009 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe/file0032 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe Inno: infected - 4 skipped
Scan process completed.
=============
HJT Log
=============
Logfile of HijackThis v1.99.1
Scan saved at 09:13, on 2007-07-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
(file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe"
-sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)
===============================================
BitDefender Online scan results...
=================================
Identified Viruses [ 1 ]
Infected Files [ 3 ]
Disinfected [ 0 ]
Deleted Files [ 3 ]
First Action [ Disinfect ]
Second Action [ Delete ]
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP12\A0000638.exe [ Infected with: Backdoor.Hupigon.BV ]
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP12\A0000638.exe [ Disinfection failed ]
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP12\A0000638.exe [ Deleted ]
sanjuv999
2007-07-11, 07:07
==================
ComboFix Log
==================
"VSINE0003" - 2007-07-10 10:00:23 - ComboFix 07-07-10.1 - Service Pack 2
((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))
2007-07-10 09:44 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-10 09:37 <DIR> d-------- C:\HJT
2007-07-06 15:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-06 14:06 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\Opera
2007-07-06 14:05 <DIR> d-------- C:\Program Files\Opera
2007-07-06 12:38 <DIR> d-------- C:\Program Files\CCleaner
2007-07-06 12:35 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2007-07-06 09:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MailFrontier
2007-07-06 03:09 <DIR> d-------- C:\Program Files\XoftSpySE
2007-07-05 22:15 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-05 22:15 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-05 22:15 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-05 22:15 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-05 22:15 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-05 22:15 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-05 22:15 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-05 22:14 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-05 15:36 512 --a------ C:\ScanSectorLog.dat
2007-07-05 15:25 39,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-05 15:25 1,458,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-05 14:14 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-07-05 14:14 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-04 16:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-04 11:28 <DIR> d-------- C:\Program Files\BitComet
2007-07-04 09:42 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-02 17:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-29 12:58 <DIR> d-------- C:\WINDOWS\pss
2007-06-28 15:04 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-06-28 15:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-06-26 18:33 <DIR> d-------- C:\WINDOWS\PrimoPDF
2007-06-26 18:33 <DIR> d-------- C:\Program Files\activePDF
2007-06-26 16:44 <DIR> d-------- C:\Program Files\EMS
2007-06-26 10:42 <DIR> d-------- C:\Program Files\SQLyog Community
2007-06-26 10:42 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\SQLyog
2007-06-25 17:00 <DIR> d-------- C:\Program Files\Intelligent Converters
2007-06-25 16:29 <DIR> d-------- C:\Program Files\MySQL Query Analyzer
2007-06-25 14:24 1,952 --a------ C:\WINDOWS\Sysvm32.dll
2007-06-25 10:56 <DIR> d-------- C:\Program Files\MySQL
2007-06-21 00:37 <DIR> d-------- C:\zip
2007-06-21 00:33 <DIR> d-------- C:\unzip
2007-06-20 23:47 <DIR> d-------- C:\xpdf-3.02-win32
2007-06-20 23:32 <DIR> d-------- C:\antiword
2007-06-20 20:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-06-20 18:00 <DIR> d-------- C:\xampp-win32-1.5.1
2007-06-18 14:19 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\MySQL
2007-06-15 16:32 <DIR> d-------- C:\Program Files\Zards software
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-06 04:51:40 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-05 13:52:21 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Windows NT
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Movie Maker
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Messenger
2007-06-29 06:18:21 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-06-26 05:54:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-08 10:39:55 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2007-06-01 10:46:22 152,064 ----a-w C:\WINDOWS\system32\isys32.exe
2007-05-30 11:53:40 -------- d-----w C:\Program Files\Common Files\Merge Modules
2007-05-30 11:44:34 -------- d-----w C:\Program Files\Microsoft Visual Studio .NET 2003
2007-05-30 11:16:48 -------- d-----w C:\Program Files\HTML Help Workshop
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-04 15:46:09 0 ----a-w C:\WINDOWS\nsreg.dat
2007-05-04 12:54:39 1,920 ----a-w C:\WINDOWS\system32\tmp.reg
2007-05-04 05:56:11 138 ----a-w C:\WINDOWS\system32\winser.bin
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi(2).dll
2007-04-16 17:17:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 17:15:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 17:15:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 17:15:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 17:15:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 17:15:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 17:15:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 17:15:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 11:09 C:\WINDOWS\SOUNDMAN.EXE]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-06 18:52]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 21:12]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:30]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-05-10 16:31]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{65A63651-8AFB-4A2B-AC75-CB4C68B0DDB0}"="C:\Program Files\Common Files\System\mshexthk.dll" [2002-08-13 15:51]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\svchen.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cee442-f15a-11db-ac14-001485fc561f}]
Auto\command- E:\MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06f7df5e-dde5-11db-ac09-001485fc561f}]
1\Command- E:\.\RECYCLER\RECYCLER\autorun.exe
2\Command- E:\.\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe
Contents of the 'Scheduled Tasks' folder
2007-07-06 11:31:39 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-05 21:39:28 C:\WINDOWS\tasks\XoftSpySE.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 10:05:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mysql]
"ImagePath"="C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt --defaults-file=C:\xampp-win32-1.5.1\xampp\mysql\bin\my.cnf mysql"
Completion time: 2007-07-10 10:06:21
--- E O F ---
sanjuv999
2007-07-11, 07:08
==========
Spybot log
===========
--- Search result list ---
Statcounter: Tracking cookie (Internet Explorer: VSINE0003) (Cookie, nothing done)
WebTrends live: Tracking cookie (Internet Explorer: VSINE0003) (Cookie, nothing done)
DoubleClick: Tracking cookie (Internet Explorer: VSINE0003) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-07-06 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/917283
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/922770
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB933566)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB815304
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885222
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB886199
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Hotfix for Windows XP (KB895246)
/ Windows XP / SP3: Hotfix for Windows XP (KB896344)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917537)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Update for Windows XP (KB920342)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922760)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925454)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
/ Windows XP / SP3: Update for Windows XP (KB925876)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926247)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928090)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Security Update for Windows XP (KB933566)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 40048
MD5: 66d4456c920e21bd2188f8cc33680df5
Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 75392
MD5: 41b88784128c1eb3a24a928ce58b2455
Located: HK_LM:Run, SetRefresh
command: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
file: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
size: 524800
MD5: 733529e61ff992cc97e7e27ed0aaaeed
Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 90112
MD5: 8dcf5e6334eea54336c93a6f0d8ceeb8
Located: HK_LM:RunOnceEx, Register Homesite+.exe
command: "C:\Program Files\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER
file: C:\Program Files\Macromedia\HomeSite+\Homesite+.exe
size: 2254848
MD5: 140e5c68a673ee5a09fdefb6a914d05b
Located: HK_CU:Run, ccleaner
command: "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
file: C:\Program Files\CCleaner\ccleaner.exe
size: 598920
MD5: 02dc8f8fdc55ffe0a7ae6626bdd3f850
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8
Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38
Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: 57cb86b1cdd77eb5138ba05d1f193463
Located: Startup (user), Shortcut to stop IIS.lnk
command: C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
file: C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
size: 118
MD5: 7c17166a45d2275c3177ae22e481faa6
Located: System.ini, (˜ (DISABLED)
command: (˜
file: (˜
Located: System.ini, instcat (DISABLED)
command: instcat.dll
file: instcat.dll
Located: System.ini, mljgh (DISABLED)
command: C:\WINDOWS\system32\mljgh.dll
file: C:\WINDOWS\system32\mljgh.dll
Located: System.ini, pmnmkkh (DISABLED)
command: pmnmkkh.dll
file: pmnmkkh.dll
Located: System.ini, WgaLogon (DISABLED)
command:
file:
Located: System.ini, Àpx€ (DISABLED)
command: Àpx€
file: Àpx€
Located: System.ini, ø¨°€ (DISABLED)
command: ø¨°€
file: ø¨°€
Located: System.ini, ˆ8@€ (DISABLED)
command: ˆ8@€
file: ˆ8@€
Located: System.ini, ˆ8@€ (DISABLED)
command: ˆ8@€
file: ˆ8@€
Spybot log continues in next log...
sanjuv999
2007-07-11, 07:11
===========
Spybot log(Continued)
===========
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 2006-10-22 23:08:42
Date (last access): 2007-07-11 08:54:14
Date (last write): 2006-10-22 23:08:42
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 2007-07-06 13:56:16
Date (last access): 2007-07-11 09:09:12
Date (last write): 2005-05-31 01:04:00
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
--- ActiveX list ---
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name:
CLSID name: CKAVWebScan Object
Installer: C:\WINDOWS\Downloaded Program Files\kavwebscan.inf
Codebase: http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 2006-03-20 13:17:20
Date (last access): 2007-07-11 08:54:14
Date (last write): 2006-03-20 13:17:20
Filesize: 798720
Attributes: archive
MD5: F74B09086C2097BC535C5DCCCD3402AC
CRC32: 01AA9D3D
Version: 5.0.83.0
{166B1BCA-3F9C-11CF-8075-444553540000} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.dll
Short name: LEGITC~1.DLL
Date (created): 2006-05-17 11:23:38
Date (last access): 2007-07-10 21:17:16
Date (last write): 2007-03-15 18:19:28
Filesize: 1476992
Attributes: archive
MD5: D1CB99ADBA9397D7D02B0B2DCFE47F1A
CRC32: ED982FE3
Version: 1.7.18.5
{215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6)
DPF name:
CLSID name: Trend Micro ActiveX Scan Agent 6.6
Installer: C:\WINDOWS\Downloaded Program Files\hcImpl.inf
Codebase: http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: Housecall_ActiveX.dll
Short name: HOUSEC~1.DLL
Date (created): 2007-05-23 18:26:54
Date (last access): 2007-07-10 21:08:46
Date (last write): 2007-05-23 18:26:54
Filesize: 385536
Attributes: archive
MD5: 1B9A3C21B2553F5A79008CD44AF7688A
CRC32: 3F91A36A
Version: 6.51.0.1021
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Installer: C:\Program Files\Yahoo!\Common\yinst.inf
Codebase: C:\Program Files\Yahoo!\Common\yinsthelper.dll
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Yahoo!\Common\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 2007-01-19 10:31:00
Date (last access): 2007-07-10 20:18:12
Date (last write): 2006-07-30 13:25:34
Filesize: 188968
Attributes: archive
MD5: 18B54B53CEE0E7204495BAB864EBBF03
CRC32: 6D72BB93
Version: 2006.4.14.2
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)
DPF name:
CLSID name: BDSCANONLINE Control
Installer: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\oscan8.inf
Codebase: http://download.bitdefender.com/resources/scan8/oscan8.cab
description:
classification: Legitimate
known filename: oscan8.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\CONFLICT.1\
Long name: oscan8.ocx
Short name:
Date (created): 2006-06-01 02:54:16
Date (last access): 2007-07-10 21:08:46
Date (last write): 2006-06-01 02:54:16
Filesize: 471040
Attributes: archive
MD5: 9026F860148F0569BD92AEEFC4BDDFD7
CRC32: D1520CCE
Version: 1.0.0.1
{82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class)
DPF name:
CLSID name: DLC Class
Installer: C:\WINDOWS\Downloaded Program Files\dlc.inf
Codebase: https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
description:
classification: Legitimate
known filename: grTransferCtrl.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: grTransferCtrl.dll
Short name: GRTRAN~2.DLL
Date (created): 2006-02-22 14:57:26
Date (last access): 2007-07-11 08:58:46
Date (last write): 2006-02-22 14:57:26
Filesize: 92960
Attributes: archive
MD5: E2BD15574DCB64B9C3DC86C8DECCE302
CRC32: 6783CAB0
Version: 5.0.0.27
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf
Codebase: http://acs.pandasoftware.com/activescan/as5free/asinst.cab
description:
classification: Legitimate
known filename: ASINST.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 2006-08-24 08:28:54
Date (last access): 2007-07-11 08:58:46
Date (last write): 2006-08-24 08:28:54
Filesize: 141424
Attributes: archive
MD5: CB0EBD772D7D003BD11A999FF515A89A
CRC32: 3CFE74C1
Version: 58.6.0.0
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9c.ocx
Short name:
Date (created): 2007-03-24 03:29:38
Date (last access): 2007-07-10 21:17:18
Date (last write): 2007-03-24 03:29:38
Filesize: 2267368
Attributes: archive
MD5: 18AE02A4195292C692D5B006F1421D01
CRC32: B8EED2E6
Version: 9.0.45.0
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
Spybot log continues
sanjuv999
2007-07-11, 07:12
============
Spybot Log(Continued)
===============
--- Process list ---
PID: 0 ( 0) [System]
PID: 600 ( 4) \SystemRoot\System32\smss.exe
PID: 648 ( 600) \??\C:\WINDOWS\system32\csrss.exe
PID: 672 ( 600) \??\C:\WINDOWS\system32\winlogon.exe
PID: 716 ( 672) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 728 ( 672) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 892 ( 716) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 972 ( 716) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1068 ( 716) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1192 ( 716) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1276 ( 716) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1336 ( 716) C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
size: 16512
MD5: 0BAB87DB7DAC336B52ADA529CF472B74
PID: 1408 ( 716) C:\Program Files\Alwil Software\Avast4\ashServ.exe
size: 132736
MD5: 4C2D6F51F2A1943EF24E8C3E55267F04
PID: 1608 ( 716) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1768 ( 716) C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
size: 20537
MD5: DE1C6EFDCA41880221816848B4D78DA9
PID: 1820 ( 716) C:\WINDOWS\system32\inetsrv\inetinfo.exe
size: 15872
MD5: 74B9FA2AFAF60B7F4E2A952E77B9DC6C
PID: 1856 ( 716) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
size: 335872
MD5: E7968AD96CDC153EB32EF01A56139F51
PID: 1944 (1768) C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
size: 20537
MD5: DE1C6EFDCA41880221816848B4D78DA9
PID: 1972 ( 716) c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
size: 28768528
MD5: 5B0A0E295AA93737D80E1BCE447086B8
PID: 2016 ( 716) C:\WINDOWS\System32\snmp.exe
size: 33280
MD5: 6FEB04DE6288F5466391E29057DC5B0E
PID: 248 ( 716) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
size: 87768
MD5: D37B8CE340B71D9E0AB2440ADDB2FDBF
PID: 276 ( 716) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 3132 ( 716) C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
size: 243328
MD5: 0005DB55986F3B014FBA24C2356476B7
PID: 3172 ( 716) C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
size: 345728
MD5: D1C26F6B1AA7BA597F435CB136E998D4
PID: 3396 ( 716) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 4076 (4036) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 320 (4076) C:\WINDOWS\SOUNDMAN.EXE
size: 90112
MD5: 8DCF5E6334EEA54336C93A6F0D8CEEB8
PID: 1992 (4076) C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 75392
MD5: 41B88784128C1EB3A24A928CE58B2455
PID: 1652 (4076) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 2552 (4076) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 5400 (4076) C:\Program Files\Internet Explorer\iexplore.exe
size: 625152
MD5: 10BDB55982586A432A3951EB19A26009
PID: 420 (3836) C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
size: 103928
MD5: F9AB943EB3CF38867FFEC53E9FC39EB5
PID: 5592 (4076) C:\WINDOWS\system32\NOTEPAD.EXE
size: 69120
MD5: 388B8FBC36A8558587AFC90FB23A3B99
PID: 4548 (4076) C:\WINDOWS\system32\NOTEPAD.EXE
size: 69120
MD5: 388B8FBC36A8558587AFC90FB23A3B99
PID: 4500 (2552) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 2007-07-11 09:11:26
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{188CD092-11E5-49B1-9383-80284B98C41D}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{188CD092-11E5-49B1-9383-80284B98C41D}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{09D75A7F-03A6-414B-BE41-D42D09D1EEFA}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{09D75A7F-03A6-414B-BE41-D42D09D1EEFA}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7C50D62A-EA49-4978-BA12-7671E818AD6A}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7C50D62A-EA49-4978-BA12-7671E818AD6A}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B11EFB23-9531-4BE0-9A7E-DF5EA58EF2D7}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B11EFB23-9531-4BE0-9A7E-DF5EA58EF2D7}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
:sick::sick::sick::sick:
pskelley
2007-07-11, 14:49
For starters, please only post what I ask for. If I need to see a Spybot report, I will reqest it. If you have questions about Spybot, post them here:
http://forums.spybot.info/forumdisplay.php?f=4 It is hard for me to figure out what I am doing and what you are doing.
This is what I requested: Post the combofix log and a new HijackThis log.
Please review these instructions again:
http://forums.spybot.info/showthread.php?t=288
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines.
Please turn off "Word Wrap"until we finish working together.
This file: O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll is on your computer. Follow these direction:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
or these: http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/hiddenfiles.mspx
Then use Search Companion: Start > Search > All Files and Folders and search for this file: svchen.dll
There are a lot of files on your computer, it can take a while for Search Companion to locate it. Once SC displays the location of that file, navigate to it and scan the file with one or more of these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Post the scan results for me to view.
Here is what Kaspersky is seeing, what are you downloading?
V:\Helpdesk\SysAidServerFree.exe/file0030/data0007 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe/file0030 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe/file0032/data0009 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe/file0032 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe Inno: infected - 4 skipped
This may or may not be a problem, even Kaspersky is not sure. Use the scanners I posted if you want to check those files.
What I need from you:
The scan results on this file: C:\WINDOWS\system32\svchen.dll
A new HJT log that is not formated
Nothing else
Thanks
sanjuv999
2007-07-11, 15:50
Windows Search Companion is unable to find the file "svchen.dll" even though I enabled the hidden files,etc option as you have mentioned in the link.
------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 18:16, on 2007-07-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\HJT\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)
pskelley
2007-07-11, 16:56
Thanks for returning that information, let me show you what Google returns when searched for that item:
http://www.google.com/search?hl=en&q=O20+-+AppInit_DLLs%3A+C%3A%5CWINDOWS%5Csystem32%5Csvchen.dll&btnG=Search
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
You have stuff I do not use running on your computer:
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
Which may be Cold Fusion. Do you know what this is?
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
It could also have to do with your domain.
Since I am in Florida, I can not find that file for you to see if it is bad. I am 99% sure but will not take the responsility for removing it. If you want it gone, tell me that in your post and I will look for a way to remove it.
Thanks
sanjuv999
2007-07-11, 17:32
StopIIS.bat is an batch file I made to stop IIS and SQL Server service from running as I am using Apache Webserver(C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe) and MySQL.By the way I was able to remove the "svchen.dll" by booting into safe mode and using HJT.Now I want to remove the automatic start-up entries of spybot which are weird characters.
pskelley
2007-07-11, 17:35
Ask your Spybot questions here:
http://forums.spybot.info/forumdisplay.php?f=4
Thanks