View Full Version : Tesllar A Trojan
mask_kishore
2008-03-05, 12:00
I have CA Yahoo anti-spy.When I scan , It discovers Tesllar A trojan. I click on Remove, but it says that "Administratrive Rights required, cannot quarantine". I go in safe mode and then again try, and I gets removed. But on logging in Normal mode, it appears again. Its infecting a file in C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk, which is created again even if I delete it. I would also like to mention that every time I open internet explorer, a popup opens up simultanouesly. Now IE 7.0's popup blocker is also not working (corrupted). I try reinstalling IE 7.0 but to no avail.
Here's a log file of Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:54 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS.1\System32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS.1\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files-2\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\system32\ctfmon.exe
O4 - HKCU\..\Run: [osd] C:\Program Files\Netropa\Onscreen Display\osd.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203159617437
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203159218859
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7DDB22-51A7-4018-AEF2-564834DC5942}: NameServer = 202.56.215.6,202.56.215.54
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D7DDB22-51A7-4018-AEF2-564834DC5942}: NameServer = 202.56.215.6,202.56.215.54
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Boonty Games - Unknown owner - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SupportSoft Sprocket Service (nxpclient) (sprtsvc_nxpclient) - SupportSoft, Inc. - C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS.1\System32\TuneUpDefragService.exe
--
End of file - 6810 bytes
Please help me as it is very annoying. Thank you in advance !!
Hi mask_kishore
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
mask_kishore
2008-03-08, 13:04
Here's the log:
ComboFix 08-03-07.4 - Animesh 2008-03-08 16:16:02.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.266 [GMT 5.5:30]
Running from: C:\Documents and Settings\Animesh\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS.1\system32\drivers\core.cache.dsk
C:\WINDOWS.1\system32\drivers\mfeavfkk.sys
C:\WINDOWS.1\system32\pskill.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_MFEAVFKK
-------\mfeavfkk
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.
2008-03-08 16:09 . 2008-03-08 16:09 <DIR> d--hs---- C:\FOUND.002
2008-03-08 16:02 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS.1\system32\drivers\COH_Mon.sys
2008-03-08 16:02 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS.1\system32\drivers\COH_Mon.cat
2008-03-08 16:02 . 2008-01-15 05:28 706 --a------ C:\WINDOWS.1\system32\drivers\COH_Mon.inf
2008-03-07 20:44 . 2008-03-07 20:44 <DIR> d--hs---- C:\FOUND.001
2008-03-05 16:11 . 2008-03-05 16:11 <DIR> d--hs---- C:\FOUND.000
2008-03-03 21:44 . 2008-03-03 21:44 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-03-03 21:41 . 2008-03-03 21:41 <DIR> d-------- C:\Program Files\Symantec
2008-03-03 21:41 . 2008-03-05 14:28 123,952 --a------ C:\WINDOWS.1\system32\drivers\SYMEVENT.SYS
2008-03-03 21:41 . 2008-03-05 14:28 60,800 --a------ C:\WINDOWS.1\system32\S32EVNT1.DLL
2008-03-03 21:41 . 2008-03-05 14:28 10,740 --a------ C:\WINDOWS.1\system32\drivers\SYMEVENT.CAT
2008-03-03 21:41 . 2008-03-05 14:28 805 --a------ C:\WINDOWS.1\system32\drivers\SYMEVENT.INF
2008-03-03 21:40 . 2008-03-03 21:40 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-03 16:20 . 2008-03-03 16:20 <DIR> d-------- C:\Program Files\Easy Video Downloader
2008-03-03 15:01 . 2008-03-04 17:28 16 --a------ C:\WINDOWS.1\system32\coh.cache
2008-03-01 17:51 . 2008-03-01 17:51 <DIR> d-------- C:\Documents and Settings\Animesh\Application Data\Avant Profiles
2008-02-28 20:16 . 2008-02-28 20:16 158 --a------ C:\WINDOWS.1\TSDataEx.ini
2008-02-25 16:27 . 2008-02-25 16:27 306,432 --a------ C:\WINDOWS.1\system32\TuneUpDefragService.exe
2008-02-25 16:27 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS.1\system32\uxtuneup.dll
2008-02-23 19:30 . 2008-02-23 19:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\BOONTY
2008-02-23 14:50 . 2008-02-23 22:28 1,374 --a------ C:\WINDOWS.1\imsins.BAK
2008-02-23 14:36 . 2008-02-23 14:37 <DIR> d-------- C:\Documents and Settings\Animesh\Application Data\TuneUp Software
2008-02-23 14:36 . 2008-02-23 14:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\TuneUp Software
2008-02-23 14:35 . 2008-02-23 14:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-23 05:04 . 2008-02-23 05:04 <DIR> d-------- C:\Documents and Settings\Abhay\Application Data\Talkback
2008-02-22 16:08 . 2005-10-19 00:38 349,760 --a------ C:\WINDOWS.1\system32\mcinsctl.dll
2008-02-22 16:08 . 2005-05-25 07:53 288,320 --a------ C:\WINDOWS.1\system32\mcgdmgr.dll
2008-02-21 19:45 . 2008-02-21 19:45 <DIR> d-------- C:\Program Files\themexp
2008-02-19 20:56 . 2008-02-19 20:56 <DIR> d-------- C:\Program Files\Share Cracker
2008-02-19 20:56 . 2008-02-21 18:22 249,856 --------- C:\WINDOWS.1\Setup1.exe
2008-02-19 20:56 . 2008-02-21 18:22 73,216 --a------ C:\WINDOWS.1\ST6UNST.EXE
2008-02-19 19:02 . 2008-02-19 19:02 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-02-17 22:33 . 2004-08-04 11:29 34,688 --a------ C:\WINDOWS.1\system32\drivers\lbrtfdc.sys
2008-02-17 22:33 . 2004-08-04 11:29 34,688 --a------ C:\WINDOWS.1\system32\dllcache\lbrtfdc.sys
2008-02-17 22:33 . 2001-08-17 14:07 27,296 --a------ C:\WINDOWS.1\system32\drivers\perc2.sys
2008-02-17 22:33 . 2001-08-17 14:07 27,296 --a------ C:\WINDOWS.1\system32\dllcache\perc2.sys
2008-02-17 22:33 . 2001-08-17 13:52 17,280 --a------ C:\WINDOWS.1\system32\drivers\mraid35x.sys
2008-02-17 22:33 . 2001-08-17 13:52 17,280 --a------ C:\WINDOWS.1\system32\dllcache\mraid35x.sys
2008-02-17 22:33 . 2001-08-17 14:07 5,504 --a------ C:\WINDOWS.1\system32\drivers\perc2hib.sys
2008-02-17 22:33 . 2001-08-17 14:07 5,504 --a------ C:\WINDOWS.1\system32\dllcache\perc2hib.sys
2008-02-17 22:32 . 2008-02-17 22:33 <DIR> d-------- C:\Documents and Settings\Animesh\Application Data\PrevxCSI
2008-02-16 15:51 . 2008-02-16 15:51 <DIR> d--hs---- C:\Documents and Settings\Animesh\UserData
2008-02-16 12:50 . 2008-02-16 12:50 <DIR> d-------- C:\Documents and Settings\Animesh\Application Data\Hewlett-Packard
2008-02-15 21:27 . 2008-02-15 21:27 <DIR> d-------- C:\Program Files\Google
2008-02-15 16:42 . 2000-06-08 09:09 28,672 --------- C:\WINDOWS.1\system32\msiosd32.dll
2008-02-15 16:42 . 2001-10-15 14:43 6,656 --a------ C:\WINDOWS.1\system32\drivers\Msikbd2k.sys
2008-02-14 14:59 . 2008-02-14 14:59 <DIR> d-------- C:\WINDOWS.1\SHELLNEW
2008-02-14 12:05 . 2008-02-14 12:05 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-02-14 12:03 . 2008-02-14 12:03 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-14 12:00 . 2008-02-14 12:00 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-02-14 11:54 . 2008-02-14 11:54 <DIR> dr-h----- C:\MSOCache
2008-02-13 20:40 . 2008-02-13 20:47 23,392 --a------ C:\WINDOWS.1\system32\nscompat.tlb
2008-02-13 20:40 . 2008-02-13 20:47 16,832 --a------ C:\WINDOWS.1\system32\amcompat.tlb
2008-02-13 19:31 . 2008-02-13 19:31 <DIR> d-------- C:\Documents and Settings\Animesh\Application Data\LimeWire
2008-02-11 16:58 . 2008-02-11 16:58 360,064 --a------ C:\WINDOWS.1\system32\drivers\TCPIP.SYS.ORIGINAL
2008-02-10 22:08 . 2008-02-10 22:08 <DIR> d-------- C:\Program Files\Program Files
2008-02-10 15:38 . 2008-02-10 15:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\Exetender
2008-02-10 15:38 . 2006-08-24 11:14 3,262 --------- C:\WINDOWS.1\Indiagames.ico
2008-02-10 15:38 . 2008-02-10 15:38 72 --a------ C:\WINDOWS.1\GPlrLanc.dat
2008-02-09 19:33 . 2008-02-09 19:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\SupportSoft
2008-02-09 19:32 . 2008-02-09 19:32 <DIR> d-------- C:\Program Files\Airtel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 14:16 85,504 ----a-w C:\WINDOWS.1\system32\VACFix.exe
2008-02-11 11:28 360,064 ----a-w C:\WINDOWS.1\system32\drivers\TCPIP.SYS
2008-02-11 11:28 360,064 ----a-w C:\WINDOWS.1\system32\dllcache\TCPIP.SYS
2008-02-08 05:07 82,432 ----a-w C:\WINDOWS.1\system32\IEDFix.exe
2008-02-06 11:59 --------- d-----w C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\Spybot - Search & Destroy
2008-02-05 14:28 --------- d-----w C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\Symantec
2008-01-31 11:55 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-31 11:55 --------- d-----w C:\Program Files\CA Yahoo! Anti-Spy
2008-01-31 11:50 --------- d-----w C:\Program Files\Yahoo!
2008-01-31 11:50 --------- d-----w C:\Documents and Settings\Animesh\Application Data\Yahoo!
2008-01-30 05:35 --------- d-----w C:\Documents and Settings\Baby\Application Data\Grisoft
2008-01-29 15:24 --------- d-----w C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\Grisoft
2008-01-29 15:13 --------- d-----w C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\WinZip
2008-01-29 14:42 --------- d-----w C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\Kaspersky Lab
2008-01-29 13:58 --------- d-----w C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\Kaspersky Lab Setup Files
2008-01-28 14:58 --------- d-----w C:\Program Files\PowerISO
2008-01-21 13:32 --------- d-----w C:\Documents and Settings\Abhay\Application Data\Styler
2008-01-21 13:30 --------- d-----w C:\Documents and Settings\Abhay\Application Data\McAfee
2008-01-20 11:08 --------- d-----w C:\Documents and Settings\Animesh\Application Data\Styler
2008-01-20 07:08 33,292 ----a-w C:\WINDOWS.1\system32\drivers\scdemu.sys
2008-01-19 03:32 --------- d-----w C:\Documents and Settings\Baby\Application Data\McAfee
2008-01-18 13:55 --------- d-----w C:\Documents and Settings\Animesh\Application Data\McAfee
2008-01-14 14:54 --------- d-----w C:\Program Files\Hp
2008-01-14 14:15 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-14 12:52 81,920 ----a-w C:\WINDOWS.1\system32\frapsvid.dll
2008-01-11 05:53 44,544 ------w C:\WINDOWS.1\system32\dllcache\pngfilt.dll
2008-01-10 15:37 --------- d-----w C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\Quark
2008-01-10 11:05 --------- d-----w C:\Documents and Settings\Animesh\Application Data\MiniDm
2008-01-09 16:22 --------- d-----w C:\Documents and Settings\Animesh\Application Data\Symantec
2008-01-08 15:37 --------- d-----w C:\DOCUME~1\ALLUSE~1.1\APPLIC~1\McAfee
2007-12-19 23:01 347,136 ------w C:\WINDOWS.1\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS.1\system32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ------w C:\WINDOWS.1\system32\dllcache\mshtml.dll
2000-12-12 05:47 100,432 ------w C:\Program Files\Win2000PPAHotfix.exe
.
------- Sigcheck -------
482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS.1\system32\drivers\tcpip.sys
----a-w 360,064 2008-02-11 11:28:42 C:\WINDOWS.1\system32\drivers\TCPIP.SYS
----a-w 360,064 2008-02-11 11:28:42 C:\WINDOWS.1\system32\dllcache\TCPIP.SYS
------w 360,576 2006-04-20 12:18:36 C:\WINDOWS.1\$hf_mig$\KB917953\SP2QFE\tcpip.sys
------w 360,832 2007-10-30 16:53:32 C:\WINDOWS.1\$hf_mig$\KB941644\SP2QFE\tcpip.sys
------w 327,168 2001-08-18 06:30:00 C:\WINDOWS.1\$NtServicePackUninstall$\tcpip.sys
----a-w 359,040 2004-08-04 06:14:40 C:\WINDOWS.1\ServicePackFiles\i386\TCPIP.SYS
------w 359,808 2006-04-20 11:51:50 C:\WINDOWS.1\$NtUninstallKB941644$\tcpip.sys
------w 359,040 2004-08-04 06:14:40 C:\WINDOWS.1\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS.1\system32\ctfmon.exe" [2004-08-04 13:26 15360]
"osd"="C:\Program Files\Netropa\Onscreen Display\osd.exe" [2001-11-02 08:42 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-11-08 23:10 147456]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-15 08:40 116328]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 15:41 771704]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE
"HPDJ Taskbar Utility"=C:\WINDOWS.1\system32\spool\drivers\w32x86\3\hpztsb08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="D:\Program Files-2\Java\jre1.6.0_03\bin\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE
"nxpclient"=C:\Program Files\Airtel\NetXpert\bin\sprtcmd.exe /P nxpclient
"Adobe Reader Speed Launcher"="D:\Program Files-2\Adobe\Acrobat 8.1\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"D:\\Program Files-2\\GetRight\\GetRight.exe"=
"D:\\Program Files-2\\Microsoft Games\\Age of Empires 2\\age2_x1.exe"=
"C:\\Documents and Settings\\All Users.WINDOWS.1\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"D:\\Program Files-2\\uTorrent\\utorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54952:TCP"= 54952:TCP:utorrent
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS.1\system32\DRIVERS\msikbd2k.sys [2001-10-15 14:43]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 13:41]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS.1\System32\svchost.exe [2004-08-04 13:26]
S2 sprtsvc_nxpclient;SupportSoft Sprocket Service (nxpclient);C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe [2007-12-06 11:45]
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" []
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe [2007-12-06 11:50]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS.1\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS.1\system32\DRIVERS\SymIM.sys []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS.1\System32\TuneUpDefragService.exe [2008-02-25 16:27]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Autorun.exe
*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{036309A2-B046-F842-0406-040204020301}]
C:\DOCUME~1\Animesh\LOCALS~1\Temp\nya.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 16:20:16
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
.
**************************************************************************
.
Completion time: 2008-03-08 16:21:57 - machine was rebooted [Animesh]
ComboFix-quarantined-files.txt 2008-03-08 10:51:54
.
2008-02-23 16:59:02 --- E O F ---
Thank You for taking so much trouble in looking into my problem.
Hi
Please post also a fresh HijackThis log :)
mask_kishore
2008-03-10, 14:26
Here's the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:29 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\Program Files\Netropa\Onscreen Display\osd.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\Program Files-2\Adobe\Adobe Photoshop 7.0 Thinstalled\Adobe Photoshop 7.0\1000000600002i\svchost.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files-2\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\system32\ctfmon.exe
O4 - HKCU\..\Run: [osd] C:\Program Files\Netropa\Onscreen Display\osd.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203159617437
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203159218859
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7DDB22-51A7-4018-AEF2-564834DC5942}: NameServer = 202.56.215.6,202.56.215.54
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D7DDB22-51A7-4018-AEF2-564834DC5942}: NameServer = 202.56.215.6,202.56.215.54
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Boonty Games - Unknown owner - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (nxpclient) (sprtsvc_nxpclient) - SupportSoft, Inc. - C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS.1\System32\TuneUpDefragService.exe
--
End of file - 7177 bytes
Thank You !!!
Hi
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
D:\Program Files-2\Adobe\Adobe Photoshop 7.0 Thinstalled\Adobe Photoshop 7.0\1000000600002i\svchost.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note: This scanner will work with Internet Explorer Only!
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
- jotti/virustotal results
mask_kishore
2008-03-11, 07:21
Here are the 3 logs:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 10, 2008 9:48:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/03/2008
Kaspersky Anti-Virus database records: 622079
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 82921
Number of viruses found: 4
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 01:51:08
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\LiveUpdate\2008-03-10_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SRTSP\SrtETmp\BF4FB9DD.TMP Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SRTSP\SrtETmp\0F20D43D.TMP Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat Object is locked skipped
C:\Documents and Settings\Animesh\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Animesh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Animesh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Animesh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Animesh\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Animesh\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Animesh\ntuser.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\Bonus\Log\Shazam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\System Volume Information\_restore{9389FA40-36AE-4EC9-8EAA-F2B2833FE409}\RP190\A0115260.SYS Infected: Rootkit.Win32.Agent.zl skipped
C:\System Volume Information\_restore{9389FA40-36AE-4EC9-8EAA-F2B2833FE409}\RP191\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS.1\system32\drivers\mfeavfkk.sys.vir Infected: Rootkit.Win32.Agent.zl skipped
C:\WINDOWS.1\system32\config\system.LOG Object is locked skipped
C:\WINDOWS.1\system32\config\software.LOG Object is locked skipped
C:\WINDOWS.1\system32\config\default.LOG Object is locked skipped
C:\WINDOWS.1\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS.1\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS.1\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS.1\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS.1\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS.1\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS.1\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS.1\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS.1\system32\config\SLEvtLog.evt Object is locked skipped
C:\WINDOWS.1\system32\config\SECURITY Object is locked skipped
C:\WINDOWS.1\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS.1\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS.1\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS.1\system32\config\SAM Object is locked skipped
C:\WINDOWS.1\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS.1\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS.1\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS.1\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS.1\system32\h323log.txt Object is locked skipped
C:\WINDOWS.1\Temp\ONE13A.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\WINDOWS.1\Temp\ONE13A.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS.1\Temp\ONE13A.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS.1\Temp\ONE13A.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS.1\Temp\ONE13A.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\WINDOWS.1\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS.1\ie8_main.log Object is locked skipped
C:\WINDOWS.1\SchedLgU.Txt Object is locked skipped
C:\WINDOWS.1\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS.1\WindowsUpdate.log Object is locked skipped
D:\Program Files-2\Downloads\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\Program Files-2\Downloads\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\Program Files-2\Downloads\SmitfraudFix.exe RarSFX: infected - 2 skipped
D:\Program Files-2\Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
Scan process completed.
########################################
################################################################################
Thank You !!!
mask_kishore
2008-03-11, 07:22
Log of Virustotal:
File svchost.exe received on 03.10.2008 14:30:19 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.10 Win-Trojan/Agent.19370
AntiVir 7.6.0.73 2008.03.10 -
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.09 -
AVG 7.5.0.516 2008.03.10 -
BitDefender 7.2 2008.03.10 -
CAT-QuickHeal 9.50 2008.03.08 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.10 -
DrWeb 4.44.0.09170 2008.03.10 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5597 2008.03.07 -
Ewido 4.0 2008.03.10 -
FileAdvisor 1 2008.03.10 -
Fortinet 3.14.0.0 2008.03.10 -
F-Prot 4.4.2.54 2008.03.09 -
F-Secure 6.70.13260.0 2008.03.10 -
Ikarus T3.1.1.20 2008.03.10 AdWare.Win32.Agent.ahg
Kaspersky 7.0.0.125 2008.03.10 -
McAfee 5247 2008.03.07 -
Microsoft 1.3301 2008.03.07 -
NOD32v2 2934 2008.03.10 -
Norman 5.80.02 2008.03.07 -
Panda 9.0.0.4 2008.03.09 -
Prevx1 V2 2008.03.10 -
Rising 20.35.02.00 2008.03.10 -
Sophos 4.27.0 2008.03.10 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.10 -
TheHacker 6.2.92.239 2008.03.09 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.09 -
Webwasher-Gateway 6.6.2 2008.03.10 Win32.Malware.gen (suspicious)
Additional information
File size: 7680 bytes
MD5: d42d9e1c87a450fcdaea08c61f04ff44
SHA1: c6db49918f897d2d9eb8c7a3f52b4e4bba75da57
PEiD: -
################################################################################
Thank You !!!
mask_kishore
2008-03-11, 07:23
Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:16 AM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal
Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS.1\system32\ctfmon.exe
D:\Program Files-2\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=105563
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\system32\ctfmon.exe
O4 - HKCU\..\Run: [osd] C:\Program Files\Netropa\Onscreen Display\osd.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203159617437
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203159218859
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7DDB22-51A7-4018-AEF2-564834DC5942}: NameServer = 202.56.215.6,202.56.215.54
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D7DDB22-51A7-4018-AEF2-564834DC5942}: NameServer = 202.56.215.6,202.56.215.54
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Boonty Games - Unknown owner - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (nxpclient) (sprtsvc_nxpclient) - SupportSoft, Inc. - C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS.1\System32\TuneUpDefragService.exe
--
End of file - 7166 bytes
################################################################################
Thank You !!!
Hi
Empty these folders:
C:\QooBox\Quarantine\
C:\WINDOWS.1\Temp\
Delete this:
D:\Program Files-2\Adobe\Adobe Photoshop 7.0 Thinstalled\Adobe Photoshop 7.0\1000000600002i\svchost.exe
Empty Recycle Bin.
Still problems?
mask_kishore
2008-03-11, 18:05
Thank You for solving my problem.
Can you recommend a good internet security suite since norton neither detects nor prevents the install or presence of these type of malware ?
Also, what should I do because since these malware came, internet explorer 7's pop up blocker has stopped working and even reinstalling doesn't help ?
Thank You once again ...
Hi
"Can you recommend a good internet security suite since norton neither detects nor prevents the install or presence of these type of malware ?"
No internet security suite can recognize all malware.
There is nothing specifically wrong with Norton.
However, if you like to change, kaspersky internet security would be my choice.
"Also, what should I do because since these malware came, internet explorer 7's pop up blocker has stopped working and even reinstalling doesn't help ?"
You have IE 8 installed now, right?
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.