View Full Version : cannot remover virtumonde ... pls help
dustangel
2008-07-29, 22:49
i tried scanning in safemode n even though safebot detected virtumonde it was unable to remove it.... pls help.... im posting the HJT log file....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:00 AM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00A76A07-7CE8-4033-A6BB-A4AFFC7E8327} - C:\WINDOWS\system32\yayyVliJ.dll (file missing)
O2 - BHO: (no name) - {39DC821C-FE03-415F-8F47-B50ADA5D7D1A} - C:\WINDOWS\system32\jkkIYspN.dll
O2 - BHO: (no name) - {BBFDA5E2-DD72-4171-9040-0FFA4331D406} - (no file)
O2 - BHO: (no name) - {C20A5313-F546-4CF6-8249-7F2C170111A4} - C:\WINDOWS\system32\iifgEUNF.dll (file missing)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [b4a2c651] rundll32.exe "C:\WINDOWS\system32\tutnmxit.dll",b
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: jkkIYspN - C:\WINDOWS\SYSTEM32\jkkIYspN.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 5479 bytes
Hello dustangel
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You have a double whammy here, besides Vundo your also infected with the SDBot worm
Do this first...Important
Disable the TeaTimer, leave it disabled until we're done
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00A76A07-7CE8-4033-A6BB-A4AFFC7E8327} - C:\WINDOWS\system32\yayyVliJ.dll (file missing)
O2 - BHO: (no name) - {39DC821C-FE03-415F-8F47-B50ADA5D7D1A} - C:\WINDOWS\system32\jkkIYspN.dll
O2 - BHO: (no name) - {BBFDA5E2-DD72-4171-9040-0FFA4331D406} - (no file)
O2 - BHO: (no name) - {C20A5313-F546-4CF6-8249-7F2C170111A4} - C:\WINDOWS\system32\iifgEUNF.dll (file missing)
O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\system32\tutnmxit.dll",b
O20 - Winlogon Notify: jkkIYspN - C:\WINDOWS\SYSTEM32\jkkIYspN.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
This tool needs to be run from Safemode to be effective, so download it to your desktop, boot to Safemode to run it.
To Enter Safemode
Go to [b]Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
dustangel
2008-08-01, 09:40
hey there...thanx for the immediate reply to my post.... i really appreciate the kinda effort u guys r putting in to help us ..... as u had mentioned in the reply i ran a HijackThis scan n i did uncheck the entries that u had mentioned.... but the following entries were not found in the hijack this scan result....
O2 - BHO: (no name) - {00A76A07-7CE8-4033-A6BB-A4AFFC7E8327} - C:\WINDOWS\system32\yayyVliJ.dll (file missing)
O2 - BHO: (no name) - {39DC821C-FE03-415F-8F47-B50ADA5D7D1A} - C:\WINDOWS\system32\jkkIYspN.dll
O2 - BHO: (no name) - {BBFDA5E2-DD72-4171-9040-0FFA4331D406} - (no file)
O2 - BHO: (no name) - {C20A5313-F546-4CF6-8249-7F2C170111A4} - C:\WINDOWS\system32\iifgEUNF.dll (file missing)
O20 - Winlogon Notify: jkkIYspN - C:\WINDOWS\SYSTEM32\jkkIYspN.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll*
the other entries which u had mentioned which wud appear in the hijack this log was checked n i pressed fix checked....
n as for the sdfix ..... i downloaded it to the desktop .... n i cudnt restart my pc in safemode by pressing F8 .... the only screen that popped up after pressing F8 was to select which boot device which i wud like to start up vth ... whether twas the harddrive or floppy or cd-rom ... so in the normal windows mode itself i ran msconfig.exe.... n in boot.ini i clicked safeboot ... n ran the runthis.bat in safemode.... then on restarting i forgot to uncheck safeboot n so after restarting it logged on in the safe mode only ... i had to uncheck safeboot in boot.ini .... n when it logged on in the normal windows mode it did the rest of the scanning n produced the following reoport..... i have pasted the contents of report.txt... n im posting the hijackthis log tooo .... waiting for ur reply ...thanx in advance....
SDFix: Version 1.211
Run by Sreejith on Fri 08/01/2008 at 11:44 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\jkkIYspN.dll - Deleted
C:\Program Files\PCHealthCenter\0.gif - Deleted
C:\Program Files\PCHealthCenter\1.gif - Deleted
C:\Program Files\PCHealthCenter\2.gif - Deleted
C:\Program Files\PCHealthCenter\3.gif - Deleted
C:\Program Files\PCHealthCenter\sc.html - Deleted
C:\Program Files\PCHealthCenter\sex1.ico - Deleted
C:\Program Files\PCHealthCenter\sex2.ico - Deleted
C:\Program Files\VAV\vav.cpl - Deleted
C:\Program Files\VAV\vav.ooo - Deleted
C:\WINDOWS\nfavxwdblwf.dll - Deleted
C:\WINDOWS\system32\WinCtrl32.dll - Deleted
C:\WINDOWS\system32\nvrsul32.dll - Deleted
Folder C:\Program Files\PCHealthCenter - Removed
Folder C:\Program Files\VAV - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 11:49:29
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Thu 5 Jun 2008 1,427,280 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Thu 5 Jun 2008 4,906,832 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Jun 2008 2,113,360 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\Sreejith\Application Data\U3\temp\Launchpad Removal.exe"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:15 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 4479 bytes
Hi,
Lets get Vundo
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
dustangel
2008-08-01, 13:56
Here r the MBAM and HijackThis log files......
Malwarebytes' Anti-Malware 1.24
Database version: 1014
Windows 5.1.2600 Service Pack 2
4:17:37 PM 8/1/2008
mbam-log-8-1-2008 (16-17-37).txt
Scan type: Quick Scan
Objects scanned: 36827
Time elapsed: 3 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 21
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\geiicuaq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qoMfGAsq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jerpck.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ef0915a-55d2-4ae3-877d-65f1bdc69f3b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ef0915a-55d2-4ae3-877d-65f1bdc69f3b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53fb8358-b37a-4af4-9d3d-d35809df02a6} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{53fb8358-b37a-4af4-9d3d-d35809df02a6} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b12ec5ac-7a7d-4be4-8562-912012514fac} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4a2c651 (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfgasq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfgasq -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\jerpck.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qoMfGAsq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qsAGfMoq.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qsAGfMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tekmdmnb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bnmdmket.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geiicuaq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qauciieg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\baieqaaq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulifbqtn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yojltg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hawpncvi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ortodx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sreejith\Local Settings\Temporary Internet Files\Content.IE5\HI123MEF\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sreejith\Local Settings\Temporary Internet Files\Content.IE5\DM4YE4O3\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvTkKEW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcBUnMF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnligHa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcDWOFU.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccdedEV.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfEVmKE.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:53 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 4535 bytes
dustangel,
Your doing very well, you should see a big improvement on your system. There may be more of Vundo that we can't see so let do a couple of more things.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
dustangel
2008-08-01, 19:23
here r the logs of combo fix n HJT .... when i checked my sygate firewall .... 2 new processes have been blocked by the sygate firewall... i wud like to know what they r .... these r the 2 processes which have been blocked :-
"Application Layer GatewayService" residing in c:\windows\system32\alg.exe
"Services and controller app" residing in C:\windows\system32\services.exe
ComboFix 08-07-31.06 - Sreejith 2008-08-01 21:31:43.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.218 [GMT -12:00]
Running from: C:\Documents and Settings\Sreejith\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\FNUEgfii.ini
C:\WINDOWS\system32\FNUEgfii.ini2
C:\WINDOWS\system32\JilVyyay.ini
C:\WINDOWS\system32\JilVyyay.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnpriaxl.dll
C:\WINDOWS\system32\npxozt.dll
C:\WINDOWS\system32\qoMfGAsq.dll
C:\WINDOWS\system32\qsAGfMoq.ini
C:\WINDOWS\system32\qsAGfMoq.ini2
C:\WINDOWS\system32\tixmntut.ini
C:\WINDOWS\system32\wjchqcvn.ini
.
((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.
2008-08-01 16:07 . 2008-08-01 16:07 <DIR> d-------- C:\Documents and Settings\Sreejith\Application Data\Malwarebytes
2008-08-01 16:07 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 16:07 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 16:06 . 2008-08-01 16:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 16:06 . 2008-08-01 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 11:43 . 2008-08-01 11:43 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-08-01 11:41 . 2008-08-01 11:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-01 11:34 . 2008-08-01 04:33 <DIR> d-------- C:\SDFix
2008-08-01 10:11 . 2008-08-01 10:11 <DIR> d--hs---- C:\FOUND.008
2008-07-30 01:09 . 2008-07-30 01:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 00:49 . 2008-07-30 00:49 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-28 01:36 . 2008-07-28 01:36 <DIR> d-------- C:\Program Files\ESET
2008-07-28 00:37 . 2008-07-28 00:37 <DIR> d-------- C:\Documents and Settings\Sreejith\Application Data\ESET
2008-07-28 00:34 . 2008-07-28 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-27 17:34 . 2008-07-27 17:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-27 17:34 . 2008-07-27 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 17:09 . 2008-07-27 17:09 <DIR> d---s---- C:\Documents and Settings\Sreejith\UserData
2008-07-27 17:01 . 2008-07-27 17:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-27 02:00 . 2008-07-27 02:00 1,632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-27 00:22 . 2008-07-27 00:22 <DIR> d-------- C:\Program Files\Sygate
2008-07-27 00:22 . 2003-10-14 19:20 77,824 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-07-27 00:22 . 2003-10-14 19:09 55,888 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-07-27 00:22 . 2003-10-14 19:11 18,515 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-07-27 00:22 . 2003-10-14 19:06 11,914 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-07-27 00:10 . 2008-07-27 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-07-27 00:08 . 2008-07-27 00:08 <DIR> d-------- C:\Program Files\Panda Security
2008-07-26 23:57 . 2008-07-26 23:57 26 --a------ C:\WINDOWS\DGcounter.ini
2008-07-26 23:39 . 2008-07-26 23:39 <DIR> d--hs---- C:\FOUND.007
2008-07-26 19:27 . 2008-07-26 19:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 18:39 . 2008-07-26 18:39 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-07-26 14:12 . 2008-07-26 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-23 22:55 . 2008-07-23 22:55 <DIR> d-------- C:\Program Files\NCH Software
2008-07-23 22:55 . 2008-07-23 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-23 22:55 . 2008-07-23 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-07-23 22:54 . 2008-07-23 22:54 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-07-23 22:54 . 2008-07-23 22:54 <DIR> d-------- C:\Documents and Settings\Sreejith\Application Data\NCH Swift Sound
2008-07-23 22:50 . 2008-07-23 22:50 <DIR> d--hs---- C:\FOUND.006
2008-07-22 23:14 . 2008-07-22 23:14 53,248 --a------ C:\WINDOWS\system32\suppdll.dll
2008-07-22 23:14 . 2008-07-22 23:14 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-07-22 15:48 . 2008-07-22 15:48 <DIR> d-------- C:\Documents and Settings\Sreejith\Contacts
2008-07-22 15:20 . 2008-07-22 15:20 <DIR> d--hs---- C:\FOUND.005
2008-07-21 01:32 . 2008-07-21 01:32 <DIR> d-------- C:\WINDOWS\system32\AppData
2008-07-21 01:31 . 2008-07-21 01:31 <DIR> d-------- C:\Program Files\WinUtilities
2008-07-19 22:42 . 2008-07-19 22:42 <DIR> d--hs---- C:\FOUND.004
2008-07-17 22:22 . 2008-07-17 22:22 <DIR> d--hs---- C:\FOUND.003
2008-07-14 03:08 . 2008-07-26 20:29 268 --ah----- C:\sqmdata19.sqm
2008-07-14 03:08 . 2008-07-26 20:29 244 --ah----- C:\sqmnoopt19.sqm
2008-07-13 23:14 . 2008-07-13 23:14 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-13 23:11 . 2008-07-13 23:11 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-07-13 23:11 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-07-06 03:02 . 2008-07-26 15:45 268 --ah----- C:\sqmdata18.sqm
2008-07-06 03:02 . 2008-07-26 15:45 244 --ah----- C:\sqmnoopt18.sqm
2008-07-06 00:10 . 2008-07-26 03:11 268 --ah----- C:\sqmdata17.sqm
2008-07-06 00:10 . 2008-07-26 03:11 244 --ah----- C:\sqmnoopt17.sqm
2008-07-05 01:33 . 2008-07-26 02:18 268 --ah----- C:\sqmdata16.sqm
2008-07-05 01:33 . 2008-07-26 02:18 244 --ah----- C:\sqmnoopt16.sqm
2008-07-02 23:05 . 2008-07-25 23:17 268 --ah----- C:\sqmdata15.sqm
2008-07-02 23:05 . 2008-07-25 23:17 244 --ah----- C:\sqmnoopt15.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 21:04 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-07-01 21:04 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-07-01 21:04 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-07-01 20:57 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-07-01 20:56 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-06-30 12:26 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Nokia Multimedia Player
2008-06-30 10:37 --------- d-----w C:\Program Files\IVT Corporation
2008-06-29 16:43 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\ACD Systems
2008-06-29 08:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-06-29 07:44 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-29 07:44 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-06-29 07:01 --------- d-----w C:\Program Files\BitLord
2008-06-29 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-06-29 06:25 --------- d-----w C:\Program Files\MSXML 6.0
2008-06-29 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-06-29 06:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\U3
2008-06-29 05:56 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\U3
2008-06-29 04:16 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\vlc
2008-06-29 04:15 --------- d-----w C:\Program Files\VideoLAN
2008-06-29 00:53 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-29 00:53 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-29 00:05 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Datalayer
2008-06-28 23:35 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\AdobeUM
2008-06-28 23:35 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\AdobeAUM
2008-06-28 23:21 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Nokia
2008-06-28 23:18 --------- d-----w C:\Program Files\DIFX
2008-06-28 23:17 --------- d-----w C:\Program Files\Common Files\Nokia
2008-06-28 23:17 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\PC Suite
2008-06-28 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-28 23:16 --------- d-----w C:\Program Files\Nokia
2008-06-28 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-06-24 09:56 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-06-24 09:56 --------- d-----w C:\Program Files\ACD Systems
2008-06-24 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-06-24 09:53 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Ahead
2008-06-24 09:52 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-24 09:52 --------- d-----w C:\Program Files\Ahead
2008-06-24 09:50 --------- d-----w C:\Program Files\Opera
2008-06-24 09:37 --------- d-----w C:\Program Files\MSN Messenger
2008-06-24 09:36 --------- d-----w C:\Program Files\Yahoo!
2008-06-24 09:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-24 09:35 --------- d-----w C:\Program Files\Google
2008-06-24 09:22 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\ArcSoft
2008-06-24 09:20 --------- d-----w C:\Program Files\INITIO
2008-06-24 09:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 09:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-24 09:19 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-06-24 09:19 --------- d-----w C:\Program Files\ArcSoft
2008-06-24 08:54 --------- d-----w C:\Program Files\Common Files\HP
2008-06-24 08:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-24 08:52 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-24 08:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-06-24 08:47 --------- d-----w C:\Program Files\HP
2008-06-24 08:41 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\HP
2008-06-24 08:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 08:14 4,608 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-06-24 08:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-24 08:14 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Symantec
2008-06-24 08:05 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-24 08:05 --------- d-----w C:\Program Files\Common Files\L&H
2008-06-24 08:04 --------- d-----w C:\Program Files\Microsoft Works
2008-06-24 08:03 --------- d-----w C:\Program Files\Microsoft.NET
2005-05-27 02:35 1,422 ----a-w C:\Program Files\ReadMe.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 09:22 3739648]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 15:41 4617720]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2003-10-21 16:36 2334792]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-07-01 09:01 1447168]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
TotalMedia Backup Monitor.lnk - C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-06-23 21:19:28 270336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbi54.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winci16.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windj05.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl05.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm40.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winio38.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv73.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsc63.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsy51.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winta40.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winub40.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvc73.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwe40.sys]
@="Driver"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
R3 Start BT in service;Start BT in service;C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 14:54]
S0 Winbi54;Winbi54;C:\WINDOWS\system32\Drivers\Winbi54.sys []
S0 Winci16;Winci16;C:\WINDOWS\system32\Drivers\Winci16.sys []
S0 Windj05;Windj05;C:\WINDOWS\system32\Drivers\Windj05.sys []
S0 Winfl05;Winfl05;C:\WINDOWS\system32\Drivers\Winfl05.sys []
S0 Wingm40;Wingm40;C:\WINDOWS\system32\Drivers\Wingm40.sys []
S0 Winio38;Winio38;C:\WINDOWS\system32\Drivers\Winio38.sys []
S0 Winpv73;Winpv73;C:\WINDOWS\system32\Drivers\Winpv73.sys []
S0 Winsc63;Winsc63;C:\WINDOWS\system32\Drivers\Winsc63.sys []
S0 Winsy51;Winsy51;C:\WINDOWS\system32\Drivers\Winsy51.sys []
S0 Winta40;Winta40;C:\WINDOWS\system32\Drivers\Winta40.sys []
S0 Winub40;Winub40;C:\WINDOWS\system32\Drivers\Winub40.sys []
S0 Winvc73;Winvc73;C:\WINDOWS\system32\Drivers\Winvc73.sys []
S0 Winwe40;Winwe40;C:\WINDOWS\system32\Drivers\Winwe40.sys []
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a78e90b-4592-11dd-ac78-0080482fc059}]
\Shell\AutoRun\command - N:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff18e102-5648-11dd-ac92-00158309cee0}]
\Shell\AutoRun\command - System\DriveGuard\DriveProtect.exe -run*
\Shell\Explore\Command - System\DriveGuard\DriveProtect.exe -run**
\Shell\Open\Command - System\DriveGuard\DriveProtect.exe -run*
.
- - - - ORPHANS REMOVED - - - -
BHO-{00A76A07-7CE8-4033-A6BB-A4AFFC7E8327} - C:\WINDOWS\system32\yayyVliJ.dll
BHO-{C20A5313-F546-4CF6-8249-7F2C170111A4} - C:\WINDOWS\system32\iifgEUNF.dll
MSConfigStartUp-Sys9 - C:\Windows\Sys9.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Sreejith\Application Data\Mozilla\Firefox\Profiles\men0sm26.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 21:35:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\sccfg.sys 16384 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
.
**************************************************************************
.
Completion time: 2008-08-01 21:37:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-02 09:36:58
Pre-Run: 5,421,678,592 bytes free
Post-Run: 5,372,067,840 bytes free
298
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:07 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 4863 bytes
Looking Good :bigthumb:
The only issue I see that may be a problem is that you should only have One Firewall installed, the only time you can have two is if one is a software firewall and one is a hardware firewall ( like a router for instance ) more than one software firewall is overkill and can actually cause some issues at times. If NOD is a suite that includes a firewall than uninstall Sygate.
Those two processes are legit and should be allowed.
http://www.neuber.com/taskmanager/process/alg.exe.html
http://www.wheresjames.com/index.php?page=sa&fname=services.exe&company=Microsoft%20Corporation&show=1
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How is your system behaving now?????
dustangel
2008-08-01, 21:24
thaaaaaaaaaaaaaaaanx a loooooot buddy http://forums.spybot.info/images/smilies/smile.gif ...... i tried scanning my whole system using spybot n no more virtumoonde threats.....is there nething else that i have to do frequently to keep my pc safe from viruses,trojans,malware/spyware/adware ? shud i check teatimer in spybot ? im having another issue which im finding it tough to rectify .... im having a 500gb simpletech external hard disk.... im sure all of these infections in my pc r due to the files from my external harddidk .... but when i scanned it using nod32 it din show ne threats .... n mostly a window pops up saying that the file or directory is unreadable or corrupted ...i tried running chckdsk utility to rectify the errors on the harddisk but twas oof no use coz the window vth the msg saying that the file or directory is corrupt or unreadable keeps popping up when i click certain files on the external hard disk........ how do i rectify it ??
Thats great, glad things are running better for you :bigthumb:
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
If all the files are corrupted on your external drive, you may be better off just formating it and start from scratch. I will let you post here for your external hard disk issue as this forum is for Malware Removal only.
Windows Tech Support Forums
Windows Support (http://forums.whatthetech.com/Microsoft_Windows_f119.html) <-- Our own forum
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Bleeping Computer (http://www.bleepingcomputer.com/forums/forum56.html) <--Good XP Forum
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
Hardwareguys (http://forums.hardwareguys.com/) <-- Another good one
It's Not Always Malware
Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)
Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)
Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)
Safe Surfn
Ken
dustangel
2008-08-02, 08:55
gosh !!!! vundo is back .... as per ur last reply i was going thru the different links n i just downloaded pc pitstop disk md.... but apparently it appeared to be a trial version ...n i had downloaded the patch from phazeddl.com ... b4 installing it i scanned it using nod32 n mbam .... both of em din show ne threats.... even after installing it ... i tried scanning the system using spybot .... n even it din show ne vundo threat... but i simply tried scanning using mbam after installing pc pitstop disk md using the patch ....it showed me a vundo infection along vth some kinda trojan .... im sorry for it getting affected again .... can u help me again ... im posting the log file of mbam ....
Malwarebytes' Anti-Malware 1.24
Database version: 1014
Windows 5.1.2600 Service Pack 2
11:16:01 AM 8/2/2008
mbam-log-8-2-2008 (11-16-01).txt
Scan type: Quick Scan
Objects scanned: 36596
Time elapsed: 2 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39dc821c-fe03-415f-8f47-b50ada5d7d1a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
Hi,
PcPitStop is a very reliable site and one of there main functions is to remove Malware, not distribute it
I imagine these are just leftover entries that the first scans missed. Open Malwarebytes and CHECK FOR UPDATES and run the scan again removing anything it finds, then post the log along with a new HJT log.
dustangel
2008-08-03, 11:23
whenever i start windows the following window pops up ...
Error loading C:\\WINDOWS\System32\tutnmxit.dll
The specified module could not be found.
n a spybot window pops up asking vther or not to allow the registry
entry of malwarebytes anti-malware(reboot) to be changed...
old data:
c:program files\malwarebytes'anti-malware\mbam.exe/runcleanupscript
on allowing the change nother spybot window pops up asking if the
following change shud be granted or not ....
category:scr extension handler
change:value changed
entry:(blank)
old data:"%1"/s
new data:"%!"%*
coz i din know what it is ... i denied the change n then nother spybot
window pops up asking if the following change shud be granted or not...
category:REG extension handler
change:value changed
entry:(blank)
old data:regedit.exe"%1"
new data:regedit.exe"%!"%*
i denied both the above changes ... these pop up windows keep coming
when ever i start windows ..... what shud i do regarding these ?.... n
stangely i updated mbam n tried scanning n it din show ne more vundo
threats unlike the prev one .... newayz im posting the MBAM n HJT
LOG..... pls help.... thanx in advance ken ....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:06 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00A76A07-7CE8-4033-A6BB-A4AFFC7E8327} - (no file)
O2 - BHO: (no name) - {8D63D3C3-26F2-4524-93CB-4FBBCFB29B28} - (no file)
O2 - BHO: (no name) - {BBFDA5E2-DD72-4171-9040-0FFA4331D406} - (no file)
O2 - BHO: (no name) - {C20A5313-F546-4CF6-8249-7F2C170111A4} - (no file)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [b4a2c651] rundll32.exe "C:\WINDOWS\system32\tutnmxit.dll",b
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217711608171
O20 - Winlogon Notify: jkkIYspN - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 5418 bytes
Malwarebytes' Anti-Malware 1.24
Database version: 1018
Windows 5.1.2600 Service Pack 2
1:35:50 PM 8/3/2008
mbam-log-8-3-2008 (13-35-50).txt
Scan type: Quick Scan
Objects scanned: 36808
Time elapsed: 2 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
Hi,
I really don't know what you have done to reinfect yourself but you did :red:
Do this first...Important
Disable the TeaTimer, leave it disabled until we're done,
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Remove these with HJT.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00A76A07-7CE8-4033-A6BB-A4AFFC7E8327} - (no file)
O2 - BHO: (no name) - {8D63D3C3-26F2-4524-93CB-4FBBCFB29B28} - (no file)
O2 - BHO: (no name) - {BBFDA5E2-DD72-4171-9040-0FFA4331D406} - (no file)
O2 - BHO: (no name) - {C20A5313-F546-4CF6-8249-7F2C170111A4} - (no file)
O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\system32\tutnmxit.dll",b
O20 - Winlogon Notify: jkkIYspN - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily [b]disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
dustangel
2008-08-03, 15:53
ComboFix 08-08-02.01 - Sreejith 2008-08-03 18:12:22.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.217 [GMT -12:00]
Running from: C:\Documents and Settings\Sreejith\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.
2008-08-02 09:45 . 2008-08-02 09:45 <DIR> d-------- C:\Program Files\PCPitstop
2008-08-02 09:31 . 2008-08-02 09:32 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-01 16:07 . 2008-08-01 16:07 <DIR> d-------- C:\Documents and Settings\Sreejith\Application Data\Malwarebytes
2008-08-01 16:07 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 16:07 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 16:06 . 2008-08-01 16:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 16:06 . 2008-08-01 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 11:43 . 2008-08-01 11:43 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-08-01 11:41 . 2008-08-01 11:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-01 10:11 . 2008-08-01 10:11 <DIR> d--hs---- C:\FOUND.008
2008-07-30 01:09 . 2008-07-30 01:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 00:49 . 2008-07-30 00:49 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-28 01:36 . 2008-07-28 01:36 <DIR> d-------- C:\Program Files\ESET
2008-07-28 00:37 . 2008-07-28 00:37 <DIR> d-------- C:\Documents and Settings\Sreejith\Application Data\ESET
2008-07-28 00:34 . 2008-07-28 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-27 17:34 . 2008-07-27 17:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-27 17:34 . 2008-07-27 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 17:09 . 2008-07-27 17:09 <DIR> d---s---- C:\Documents and Settings\Sreejith\UserData
2008-07-27 17:01 . 2008-07-27 17:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-27 02:00 . 2008-07-27 02:00 1,632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-27 00:22 . 2008-07-27 00:22 <DIR> d-------- C:\Program Files\Sygate
2008-07-27 00:22 . 2003-10-14 19:20 77,824 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-07-27 00:22 . 2003-10-14 19:09 55,888 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-07-27 00:22 . 2003-10-14 19:11 18,515 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-07-27 00:22 . 2003-10-14 19:06 11,914 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-07-27 00:10 . 2008-07-27 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-07-27 00:08 . 2008-07-27 00:08 <DIR> d-------- C:\Program Files\Panda Security
2008-07-26 23:57 . 2008-07-26 23:57 26 --a------ C:\WINDOWS\DGcounter.ini
2008-07-26 23:39 . 2008-07-26 23:39 <DIR> d--hs---- C:\FOUND.007
2008-07-26 19:27 . 2008-07-26 19:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 18:39 . 2008-07-26 18:39 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-07-26 14:12 . 2008-07-26 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-23 22:55 . 2008-07-23 22:55 <DIR> d-------- C:\Program Files\NCH Software
2008-07-23 22:55 . 2008-07-23 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-23 22:55 . 2008-07-23 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-07-23 22:54 . 2008-07-23 22:54 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-07-23 22:54 . 2008-07-23 22:54 <DIR> d-------- C:\Documents and Settings\Sreejith\Application Data\NCH Swift Sound
2008-07-23 22:50 . 2008-07-23 22:50 <DIR> d--hs---- C:\FOUND.006
2008-07-22 23:14 . 2008-07-22 23:14 53,248 --a------ C:\WINDOWS\system32\suppdll.dll
2008-07-22 23:14 . 2008-07-22 23:14 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-07-22 15:48 . 2008-07-22 15:48 <DIR> d-------- C:\Documents and Settings\Sreejith\Contacts
2008-07-22 15:20 . 2008-07-22 15:20 <DIR> d--hs---- C:\FOUND.005
2008-07-21 01:32 . 2008-07-21 01:32 <DIR> d-------- C:\WINDOWS\system32\AppData
2008-07-21 01:31 . 2008-07-21 01:31 <DIR> d-------- C:\Program Files\WinUtilities
2008-07-19 22:42 . 2008-07-19 22:42 <DIR> d--hs---- C:\FOUND.004
2008-07-17 22:22 . 2008-07-17 22:22 <DIR> d--hs---- C:\FOUND.003
2008-07-14 03:08 . 2008-07-26 20:29 268 --ah----- C:\sqmdata19.sqm
2008-07-14 03:08 . 2008-07-26 20:29 244 --ah----- C:\sqmnoopt19.sqm
2008-07-13 23:14 . 2008-07-13 23:14 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-13 23:11 . 2008-07-13 23:11 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-07-13 23:11 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-07-06 03:02 . 2008-07-26 15:45 268 --ah----- C:\sqmdata18.sqm
2008-07-06 03:02 . 2008-07-26 15:45 244 --ah----- C:\sqmnoopt18.sqm
2008-07-06 00:10 . 2008-07-26 03:11 268 --ah----- C:\sqmdata17.sqm
2008-07-06 00:10 . 2008-07-26 03:11 244 --ah----- C:\sqmnoopt17.sqm
2008-07-05 01:33 . 2008-07-26 02:18 268 --ah----- C:\sqmdata16.sqm
2008-07-05 01:33 . 2008-07-26 02:18 244 --ah----- C:\sqmnoopt16.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 21:04 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-07-01 21:04 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-07-01 21:04 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-07-01 20:57 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-07-01 20:56 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-06-30 12:26 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Nokia Multimedia Player
2008-06-30 10:37 --------- d-----w C:\Program Files\IVT Corporation
2008-06-29 16:43 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\ACD Systems
2008-06-29 08:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-06-29 07:44 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-29 07:44 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-06-29 07:01 --------- d-----w C:\Program Files\BitLord
2008-06-29 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-06-29 06:25 --------- d-----w C:\Program Files\MSXML 6.0
2008-06-29 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-06-29 06:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\U3
2008-06-29 05:56 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\U3
2008-06-29 04:16 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\vlc
2008-06-29 04:15 --------- d-----w C:\Program Files\VideoLAN
2008-06-29 00:53 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-29 00:53 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-29 00:05 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Datalayer
2008-06-28 23:35 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\AdobeUM
2008-06-28 23:35 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\AdobeAUM
2008-06-28 23:21 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Nokia
2008-06-28 23:18 --------- d-----w C:\Program Files\DIFX
2008-06-28 23:17 --------- d-----w C:\Program Files\Common Files\Nokia
2008-06-28 23:17 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\PC Suite
2008-06-28 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-28 23:16 --------- d-----w C:\Program Files\Nokia
2008-06-28 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-06-24 09:56 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-06-24 09:56 --------- d-----w C:\Program Files\ACD Systems
2008-06-24 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-06-24 09:53 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Ahead
2008-06-24 09:52 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-24 09:52 --------- d-----w C:\Program Files\Ahead
2008-06-24 09:50 --------- d-----w C:\Program Files\Opera
2008-06-24 09:37 --------- d-----w C:\Program Files\MSN Messenger
2008-06-24 09:36 --------- d-----w C:\Program Files\Yahoo!
2008-06-24 09:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-24 09:35 --------- d-----w C:\Program Files\Google
2008-06-24 09:22 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\ArcSoft
2008-06-24 09:20 --------- d-----w C:\Program Files\INITIO
2008-06-24 09:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 09:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-24 09:19 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-06-24 09:19 --------- d-----w C:\Program Files\ArcSoft
2008-06-24 08:54 --------- d-----w C:\Program Files\Common Files\HP
2008-06-24 08:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-24 08:52 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-24 08:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-06-24 08:47 --------- d-----w C:\Program Files\HP
2008-06-24 08:41 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\HP
2008-06-24 08:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 08:14 4,608 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-06-24 08:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-24 08:14 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Symantec
2008-06-24 08:05 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-24 08:05 --------- d-----w C:\Program Files\Common Files\L&H
2008-06-24 08:04 --------- d-----w C:\Program Files\Microsoft Works
2008-06-24 08:03 --------- d-----w C:\Program Files\Microsoft.NET
2005-05-27 02:35 1,422 ----a-w C:\Program Files\ReadMe.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 09:22 3739648]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 15:41 4617720]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2003-10-21 16:36 2334792]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-07-01 09:01 1447168]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
TotalMedia Backup Monitor.lnk - C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-06-23 21:19:28 270336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbi54.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winci16.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windj05.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl05.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm40.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winio38.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv73.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsc63.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsy51.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winta40.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winub40.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvc73.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwe40.sys]
@="Driver"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
R3 Start BT in service;Start BT in service;C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 14:54]
S0 Winbi54;Winbi54;C:\WINDOWS\system32\Drivers\Winbi54.sys []
S0 Winci16;Winci16;C:\WINDOWS\system32\Drivers\Winci16.sys []
S0 Windj05;Windj05;C:\WINDOWS\system32\Drivers\Windj05.sys []
S0 Winfl05;Winfl05;C:\WINDOWS\system32\Drivers\Winfl05.sys []
S0 Wingm40;Wingm40;C:\WINDOWS\system32\Drivers\Wingm40.sys []
S0 Winio38;Winio38;C:\WINDOWS\system32\Drivers\Winio38.sys []
S0 Winpv73;Winpv73;C:\WINDOWS\system32\Drivers\Winpv73.sys []
S0 Winsc63;Winsc63;C:\WINDOWS\system32\Drivers\Winsc63.sys []
S0 Winsy51;Winsy51;C:\WINDOWS\system32\Drivers\Winsy51.sys []
S0 Winta40;Winta40;C:\WINDOWS\system32\Drivers\Winta40.sys []
S0 Winub40;Winub40;C:\WINDOWS\system32\Drivers\Winub40.sys []
S0 Winvc73;Winvc73;C:\WINDOWS\system32\Drivers\Winvc73.sys []
S0 Winwe40;Winwe40;C:\WINDOWS\system32\Drivers\Winwe40.sys []
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a78e90b-4592-11dd-ac78-0080482fc059}]
\Shell\AutoRun\command - N:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff18e102-5648-11dd-ac92-00158309cee0}]
\Shell\AutoRun\command - System\DriveGuard\DriveProtect.exe -run*
\Shell\Explore\Command - System\DriveGuard\DriveProtect.exe -run**
\Shell\Open\Command - System\DriveGuard\DriveProtect.exe -run*
*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Sreejith\Application Data\Mozilla\Firefox\Profiles\men0sm26.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 18:13:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\sccfg.sys 16384 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2008-08-03 18:14:31
ComboFix2.txt 2008-08-02 09:37:04
ComboFix-quarantined-files.txt 2008-08-04 06:14:30
Pre-Run: 5,421,252,608 bytes free
Post-Run: 5,411,979,264 bytes free
262
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:30 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217711608171
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 4752 bytes
Your logs look good :bigthumb:
The only thing I see out of whack is that you should only have ONE ANTI VIRUS PROGRAM AND ONE FIREWALL INSTALLED more is overkill and can slow your system down and cause you all sorts of issues.
This is what you have, your call but you need to keep just one and uninstall the others
C:\Program Files\ESET
C:\Program Files\Sygate
C:\Program Files\Common Files\Symantec Shared
How are things running now??
dustangel
2008-08-03, 17:23
hey ....... thanxxxxxxxxxxxxxx a looooooooooooooot again buddy:)
im just having one anti-virus .... thaz ESET NOD32 with firewall.... i had norton antivirus 2007 n i felt that it wasnt the best .... n coz of that i uninstalled it.... k ...ill uninstall sygate... but how do i get rid off C:\Program Files\Common Files\Symantec Shared ???? when i browsed into that folder i found some files in it.....but i had uninstalled it properly .... how do i get rid of it ?
dustangel
2008-08-03, 19:42
hey there... i tried installing tuneup utilities n after that again i got infected vth 2 trojans.... im posting the log file of MBAM after scanning ... i did the above procedure again .... n when i scanned using MBAM again my pc was found to be clean ....im posting the log files of HJT N combofix.... pls analyze n temme if my pc is clean ... y does the trojans keep affecting my system .... ?
Malwarebytes' Anti-Malware 1.24
Database version: 1018
Windows 5.1.2600 Service Pack 2
9:47:45 PM 8/3/2008
mbam-log-8-3-2008 (21-47-45).txt
Scan type: Quick Scan
Objects scanned: 36606
Time elapsed: 2 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:09 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217711608171
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 4793 bytes
ComboFix 08-08-02.01 - Sreejith 2008-08-03 21:53:08.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.226 [GMT -12:00]
Running from: C:\Documents and Settings\Sreejith\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.
2008-08-03 21:42 . 2008-08-03 21:42 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-03 21:42 . 2008-08-03 21:42 <DIR> d-------- C:\Documents and Settings\Sreejith\Application Data\TuneUp Software
2008-08-03 21:42 . 2008-08-03 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-03 21:42 . 2008-08-03 21:42 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-03 21:42 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-02 09:45 . 2008-08-02 09:45 <DIR> d-------- C:\Program Files\PCPitstop
2008-08-02 09:31 . 2008-08-02 09:32 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-01 16:07 . 2008-08-01 16:07 <DIR> d-------- C:\Documents and Settings\Sreejith\Application Data\Malwarebytes
2008-08-01 16:07 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 16:07 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 16:06 . 2008-08-01 16:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 16:06 . 2008-08-01 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 11:43 . 2008-08-01 11:43 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-08-01 11:41 . 2008-08-01 11:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-01 10:11 . 2008-08-01 10:11 <DIR> d--hs---- C:\FOUND.008
2008-07-30 01:09 . 2008-07-30 01:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 00:49 . 2008-07-30 00:49 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-28 01:36 . 2008-07-28 01:36 <DIR> d-------- C:\Program Files\ESET
2008-07-28 00:37 . 2008-07-28 00:37 <DIR> d-------- C:\Documents and Settings\Sreejith\Application Data\ESET
2008-07-28 00:34 . 2008-07-28 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-27 17:34 . 2008-07-27 17:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-27 17:34 . 2008-07-27 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 17:09 . 2008-07-27 17:09 <DIR> d---s---- C:\Documents and Settings\Sreejith\UserData
2008-07-27 17:01 . 2008-07-27 17:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-27 02:00 . 2008-07-27 02:00 1,632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-27 00:10 . 2008-07-27 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-07-27 00:08 . 2008-07-27 00:08 <DIR> d-------- C:\Program Files\Panda Security
2008-07-26 23:57 . 2008-07-26 23:57 26 --a------ C:\WINDOWS\DGcounter.ini
2008-07-26 23:39 . 2008-07-26 23:39 <DIR> d--hs---- C:\FOUND.007
2008-07-26 19:27 . 2008-07-26 19:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 18:39 . 2008-07-26 18:39 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-07-26 14:12 . 2008-07-26 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-23 22:55 . 2008-07-23 22:55 <DIR> d-------- C:\Program Files\NCH Software
2008-07-23 22:55 . 2008-07-23 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-23 22:55 . 2008-07-23 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-07-23 22:54 . 2008-07-23 22:54 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-07-23 22:54 . 2008-07-23 22:54 <DIR> d-------- C:\Documents and Settings\Sreejith\Application Data\NCH Swift Sound
2008-07-23 22:50 . 2008-07-23 22:50 <DIR> d--hs---- C:\FOUND.006
2008-07-22 23:14 . 2008-07-22 23:14 53,248 --a------ C:\WINDOWS\system32\suppdll.dll
2008-07-22 23:14 . 2008-07-22 23:14 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-07-22 15:48 . 2008-07-22 15:48 <DIR> d-------- C:\Documents and Settings\Sreejith\Contacts
2008-07-22 15:20 . 2008-07-22 15:20 <DIR> d--hs---- C:\FOUND.005
2008-07-21 01:32 . 2008-07-21 01:32 <DIR> d-------- C:\WINDOWS\system32\AppData
2008-07-21 01:31 . 2008-07-21 01:31 <DIR> d-------- C:\Program Files\WinUtilities
2008-07-19 22:42 . 2008-07-19 22:42 <DIR> d--hs---- C:\FOUND.004
2008-07-17 22:22 . 2008-07-17 22:22 <DIR> d--hs---- C:\FOUND.003
2008-07-14 03:08 . 2008-07-26 20:29 268 --ah----- C:\sqmdata19.sqm
2008-07-14 03:08 . 2008-07-26 20:29 244 --ah----- C:\sqmnoopt19.sqm
2008-07-13 23:14 . 2008-07-13 23:14 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-13 23:11 . 2008-07-13 23:11 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-07-13 23:11 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-07-06 03:02 . 2008-07-26 15:45 268 --ah----- C:\sqmdata18.sqm
2008-07-06 03:02 . 2008-07-26 15:45 244 --ah----- C:\sqmnoopt18.sqm
2008-07-06 00:10 . 2008-07-26 03:11 268 --ah----- C:\sqmdata17.sqm
2008-07-06 00:10 . 2008-07-26 03:11 244 --ah----- C:\sqmnoopt17.sqm
2008-07-05 01:33 . 2008-07-26 02:18 268 --ah----- C:\sqmdata16.sqm
2008-07-05 01:33 . 2008-07-26 02:18 244 --ah----- C:\sqmnoopt16.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 21:04 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-07-01 21:04 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-07-01 21:04 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-07-01 20:57 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-07-01 20:56 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-06-30 12:26 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Nokia Multimedia Player
2008-06-30 10:37 --------- d-----w C:\Program Files\IVT Corporation
2008-06-29 16:43 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\ACD Systems
2008-06-29 08:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-06-29 07:44 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-29 07:44 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-06-29 07:01 --------- d-----w C:\Program Files\BitLord
2008-06-29 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-06-29 06:25 --------- d-----w C:\Program Files\MSXML 6.0
2008-06-29 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-06-29 06:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\U3
2008-06-29 05:56 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\U3
2008-06-29 04:16 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\vlc
2008-06-29 04:15 --------- d-----w C:\Program Files\VideoLAN
2008-06-29 00:53 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-29 00:53 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-29 00:05 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Datalayer
2008-06-28 23:35 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\AdobeUM
2008-06-28 23:35 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\AdobeAUM
2008-06-28 23:21 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Nokia
2008-06-28 23:18 --------- d-----w C:\Program Files\DIFX
2008-06-28 23:17 --------- d-----w C:\Program Files\Common Files\Nokia
2008-06-28 23:17 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\PC Suite
2008-06-28 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-28 23:16 --------- d-----w C:\Program Files\Nokia
2008-06-28 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-06-24 09:56 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-06-24 09:56 --------- d-----w C:\Program Files\ACD Systems
2008-06-24 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-06-24 09:53 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Ahead
2008-06-24 09:52 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-24 09:52 --------- d-----w C:\Program Files\Ahead
2008-06-24 09:50 --------- d-----w C:\Program Files\Opera
2008-06-24 09:37 --------- d-----w C:\Program Files\MSN Messenger
2008-06-24 09:36 --------- d-----w C:\Program Files\Yahoo!
2008-06-24 09:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-24 09:35 --------- d-----w C:\Program Files\Google
2008-06-24 09:22 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\ArcSoft
2008-06-24 09:20 --------- d-----w C:\Program Files\INITIO
2008-06-24 09:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 09:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-24 09:19 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-06-24 09:19 --------- d-----w C:\Program Files\ArcSoft
2008-06-24 08:54 --------- d-----w C:\Program Files\Common Files\HP
2008-06-24 08:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-24 08:52 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-24 08:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-06-24 08:47 --------- d-----w C:\Program Files\HP
2008-06-24 08:41 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\HP
2008-06-24 08:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-24 08:14 4,608 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-06-24 08:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-24 08:14 --------- d-----w C:\Documents and Settings\Sreejith\Application Data\Symantec
2008-06-24 08:05 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-24 08:05 --------- d-----w C:\Program Files\Common Files\L&H
2008-06-24 08:04 --------- d-----w C:\Program Files\Microsoft Works
2008-06-24 08:03 --------- d-----w C:\Program Files\Microsoft.NET
2005-05-27 02:35 1,422 ----a-w C:\Program Files\ReadMe.txt
.
((((((((((((((((((((((((((((( snapshot@2008-08-03_18.14.10.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-04 05:30:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-04 09:49:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-04 05:30:44 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-04 09:49:22 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-04 05:30:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-04 09:49:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 09:22 3739648]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 15:41 4617720]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-07-01 09:01 1447168]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [BU]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
TotalMedia Backup Monitor.lnk - C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-06-23 21:19:28 270336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbi54.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winci16.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windj05.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl05.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm40.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winio38.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv73.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsc63.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsy51.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winta40.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winub40.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvc73.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwe40.sys]
@="Driver"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-03 21:56]
R3 Start BT in service;Start BT in service;C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 14:54]
S0 Winbi54;Winbi54;C:\WINDOWS\system32\Drivers\Winbi54.sys []
S0 Winci16;Winci16;C:\WINDOWS\system32\Drivers\Winci16.sys []
S0 Windj05;Windj05;C:\WINDOWS\system32\Drivers\Windj05.sys []
S0 Winfl05;Winfl05;C:\WINDOWS\system32\Drivers\Winfl05.sys []
S0 Wingm40;Wingm40;C:\WINDOWS\system32\Drivers\Wingm40.sys []
S0 Winio38;Winio38;C:\WINDOWS\system32\Drivers\Winio38.sys []
S0 Winpv73;Winpv73;C:\WINDOWS\system32\Drivers\Winpv73.sys []
S0 Winsc63;Winsc63;C:\WINDOWS\system32\Drivers\Winsc63.sys []
S0 Winsy51;Winsy51;C:\WINDOWS\system32\Drivers\Winsy51.sys []
S0 Winta40;Winta40;C:\WINDOWS\system32\Drivers\Winta40.sys []
S0 Winub40;Winub40;C:\WINDOWS\system32\Drivers\Winub40.sys []
S0 Winvc73;Winvc73;C:\WINDOWS\system32\Drivers\Winvc73.sys []
S0 Winwe40;Winwe40;C:\WINDOWS\system32\Drivers\Winwe40.sys []
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-03 21:42]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a78e90b-4592-11dd-ac78-0080482fc059}]
\Shell\AutoRun\command - N:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff18e102-5648-11dd-ac92-00158309cee0}]
\Shell\AutoRun\command - System\DriveGuard\DriveProtect.exe -run*
\Shell\Explore\Command - System\DriveGuard\DriveProtect.exe -run**
\Shell\Open\Command - System\DriveGuard\DriveProtect.exe -run*
.
Contents of the 'Scheduled Tasks' folder
2008-08-04 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Sreejith\Application Data\Mozilla\Firefox\Profiles\men0sm26.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 21:54:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\sccfg.sys 16384 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2008-08-03 21:55:06
ComboFix4.txt 2008-08-02 09:37:04
ComboFix-quarantined-files.txt 2008-08-04 09:55:04
ComboFix3.txt 2008-08-04 06:14:34
ComboFix2.txt 2008-08-04 09:35:06
Pre-Run: 5,152,768,000 bytes free
Post-Run: 5,143,248,896 bytes free
279
Looking Good :bigthumb:
Norton has a removal tool that you can run to remove all of Norton off your system.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
Let me ask you this, why are you downloading 3rd party utilities, I have been in computing since Windows 3.1 and have never really had any use for registry cleaners or other utilities like the defrag you installed. Windows utilities like the disk cleaner and defragger are just fine and more safe to use. Watch out what you download , there are a lot of utilities promising to do this and that and are in fact a trojan that can infect your system.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken