Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: Neeh help!! laptop infected with malware

  1. #1
    Junior Member
    Join Date
    Jun 2008
    Posts
    16

    Default

    Hi ,

    My computer got infected with lot of malware. I had Symantec AV 9 which did not help. I removed and installed AVG 8.0 free edition. it used to clean some of the corrupted files but they came back all the time. I had Ad-Aware Se also installed, but that also did not help either. I read your forum and installed, Spybot - S&D, which removed most of the malware (CoolSearch, Virtumundo,etc). I still have something on my laptop, which keeps created dlls with random names in the C:\Windows\System32 folder, which cannot be deleted.

    Spybot - S&D could not clean it up completely.

    I followed the steps indicated in the forum (things to be done before posting). For some reason, I am not able to access free online scanner from the www.kaspersky.com website. I got file not found error and the next time around could not even access the website.

    I am pasting below the log from HijackThis 2.0.2

    ************** Start of Log *****************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:28:52 PM, on 5/31/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\j2re1.4.2_08\bin\jucheck.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    c:\sdwork\issimsvc.exe
    C:\Windows\System32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Apache2.2\bin\ApacheMonitor.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebR...=EN&prodOS=012
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>;*.local
    O2 - BHO: (no name) - {015E5C2A-EEC6-4B0E-9A44-D100D8CCC692} - C:\WINDOWS\system32\rqRHywww.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: (no name) - {8A946FDC-B8FD-424D-9C26-921532400815} - C:\WINDOWS\system32\awttQIcY.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: (no name) - {B1A64443-6FCA-41CE-8D51-5F8991257555} - C:\WINDOWS\system32\mlJBqqRh.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O2 - BHO: (no name) - {F4D7412D-51CF-42C5-BEBD-EB02C0143DD7} - C:\WINDOWS\system32\fccBrSlk.dll (file missing)
    O2 - BHO: (no name) - {FC9335C7-FF3F-4035-8C13-AF7CD65CF801} - C:\WINDOWS\system32\ssqNGApm.dll (file missing)
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
    O4 - HKLM\..\Run: [08ff8e63] rundll32.exe "C:\WINDOWS\system32\sndlxhka.dll",b
    O4 - HKLM\..\Run: [BM0bccbdff] Rundll32.exe "C:\WINDOWS\system32\aoxfsdfs.dll",s
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [DownloadGrid] C:\Program Files\Java\j2re1.4.2_08\javaws\javaws.exe http://downloadgrid.webahead.ibm.com...nt/JNLPWrapper
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [VoIP_SoftPhone] C:\Program Files\VoIP\SoftPhone\voip_softphone.exe
    O4 - HKCU\..\Run: [ctfmon] C:\Windows\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2.2\bin\ApacheMonitor.exe
    O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\system32\sndvol32.exe
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS..._mt_helens_oct
    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www2.snapfish.com/SnapfishOutlookImport.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: mlJBqqRh - C:\WINDOWS\SYSTEM32\mlJBqqRh.dll
    O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: IBM Agent Controller - ECLIPSE - C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_localhost_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_localhost_server1) - Unknown owner - c:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)

    --
    End of file - 15060 bytes

    ************** End of Log *****************

    Please help.

    Hi ,

    Also wanted to let you know that I am unable to access Mozilla Firefox and Opera browsers..

    whenever i start them, I see lot of activity hapenning writing to hard disk and nothing happens..

    please help..

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi,

    we will get two downloads to use. the first one sdfix needs to be run in safe mode. both generate logs. run sdfix first, followed by combofix. please paste the logs from each in reply.
    --------------------------------------
    sdfix:
    Download SDFix and save it to your Desktop.

    http://downloads.andymanchesta.com/R...ools/SDFix.exe


    Double click SDFix.exe and it will extract the files to %systemdrive%

    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :

    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, the Advanced Options Menu should appear;
    * Select the first option, to run Windows in Safe Mode, then press Enter.
    * Choose your usual account.
    * Open the extracted SDFix folder and double click RunThis.bat to start the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

    * Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
    ---------------------------------------
    combofix:

    Download combofix from one of these links and save it to Desktop:

    http://subs.geekstogo.com/ComboFix.exe
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

    shelf life
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    Jun 2008
    Posts
    16

    Default

    Hi,

    here is the copy of the SDFix log.

    *** start ***


    SDFix: Version 1.187
    Run by Venkata Vedantham on Sun 06/01/2008 at 05:58 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\WINDOWS\system32\mlJBqqRh.dll - Deleted
    C:\WINDOWS\muotr.so - Deleted
    C:\WINDOWS\system32\pac.txt - Deleted



    Folder C:\Temp\vtmp2 - Removed
    Folder C:\WINDOWS\system32\vntiho06 - Removed


    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-01 18:44:43
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
    "0"=hex:00,00,28,0a,01,00,05,00
    "1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
    "0"=hex:2a,00,3e,11,0c,00,d1,07
    "1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
    "0"=hex:2a,00,3e,11,0c,00,d1,07
    "1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
    @="driver"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys]
    @="driver"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c6590e77]
    "000e070a3202"=hex:2b,2d,57,22,c6,bb,94,fe,ac,62,4d,bb,3d,b6,8b,69
    "0016dbdc2a47"=hex:7f,6b,a3,f5,58,89,04,74,85,8d,0d,51,d3,6c,70,02
    "0011b1cf23bd"=hex:d6,5d,a7,3b,b9,8a,a8,cb,d9,7b,93,19,c8,fe,7e,4c
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
    "start"=dword:00000001
    "type"=dword:00000001
    "imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll]
    "0"=hex:00,00,28,0a,01,00,05,00
    "1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
    "0"=hex:2a,00,3e,11,0c,00,d1,07
    "1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
    "0"=hex:2a,00,3e,11,0c,00,d1,07
    "1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\clbdriver.sys]
    @="driver"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\clbdriver.sys]
    @="driver"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c6590e77]
    "000e070a3202"=hex:2b,2d,57,22,c6,bb,94,fe,ac,62,4d,bb,3d,b6,8b,69
    "0016dbdc2a47"=hex:7f,6b,a3,f5,58,89,04,74,85,8d,0d,51,d3,6c,70,02
    "0011b1cf23bd"=hex:d6,5d,a7,3b,b9,8a,a8,cb,d9,7b,93,19,c8,fe,7e,4c
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\clbdriver]
    "start"=dword:00000001
    "type"=dword:00000001
    "imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
    "affid"="7"
    "subid"="002"
    "control"=hex:1a,00,15,13,07,11,18,1f,14,0a,49,09,4b,1a,09,50,11,e5,f5
    "prov"="10010"
    "googleadserver"="pagead2.googlesyndication.com"
    "flagged"=dword:00000001

    scanning hidden files ...

    C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
    C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
    C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
    C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable
    C:\WINDOWS\system32\clb.dll 10752 bytes executable
    C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
    C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
    C:\WINDOWS\system32\clbdll.dll 45056 bytes executable
    C:\WINDOWS\system32\clbinit.dll 1687 bytes
    C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable
    C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 41023 bytes executable

    scan completed successfully
    hidden processes: 0
    hidden services: 1
    hidden files: 11


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\sdwork\\w32main2.exe"="C:\\sdwork\\w32main2.exe:*:Enabled:OSP Windows 32-bit ESD API"
    "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
    "C:\\Program Files\\IBM\\IBM Community Tools\\IBM Community Tools.exe"="C:\\Program Files\\IBM\\IBM Community Tools\\IBM Community Tools.exe:*:Enabled:IBM Community Tools"
    "C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft (R) HTML Application host"
    "C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "F:\\Program Files\\ActiveState Komodo 3.5\\lib\\mozilla\\komodo.exe"="F:\\Program Files\\ActiveState Komodo 3.5\\lib\\mozilla\\komodo.exe:*:Disabled:ActiveState Komodo"
    "C:\\Program Files\\AT&T Network Client\\NetClient.exe"="C:\\Program Files\\AT&T Network Client\\NetClient.exe:*:Enabled:Network access client"
    "C:\\Program Files\\SkillSoft\\jre\\bin\\javaw.exe"="C:\\Program Files\\SkillSoft\\jre\\bin\\javaw.exe:*:Enabled:javaw"
    "C:\\work\\Apache Software Foundation\\Tomcat 5.0\\bin\\tomcat5.exe"="C:\\work\\Apache Software Foundation\\Tomcat 5.0\\bin\\tomcat5.exe:*:Enabled:Service Runner"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
    "C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
    "C:\\WINDOWS\\system32\\java.exe"="C:\\WINDOWS\\system32\\java.exe:*:Enabled:java"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "E:\\Program Files\\SkillSoft\\jre\\bin\\javaw.exe"="E:\\Program Files\\SkillSoft\\jre\\bin\\javaw.exe:*:Enabled:javaw"
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
    "C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
    "C:\\Program Files\\VoIP\\SoftPhone\\voip_softphone.exe"="C:\\Program Files\\VoIP\\SoftPhone\\voip_softphone.exe:*:Enabled:voip_softphone"
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
    "C:\\Program Files\\VoIP\\Communicator\\Communicator.exe"="C:\\Program Files\\VoIP\\Communicator\\Communicator.exe:*:Enabled:Communicator"
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
    "C:\\Apache2.2\\bin\\httpd.exe"="C:\\Apache2.2\\bin\\httpd.exe:*:Disabled:Apache HTTP Server"
    "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Disabled:Remote Assistance - Windows Messenger and Voice"
    "C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Run a DLL as an App"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"

    Remaining Files :


    File Backups: - C:\SDFix\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
    Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
    Thu 26 Oct 2006 4,912,968 ...H. --- "C:\Program Files\Picasa2\setup.exe"
    Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
    Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
    Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
    Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
    Sat 24 May 2008 130,048 ..SHR --- "C:\WINDOWS\system32\adsntb.exe"
    Mon 20 Jun 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Mon 29 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
    Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT41.tmp"
    Mon 5 Mar 2007 24,646 ..SHR --- "C:\Documents and Settings\Venkata Vedantham\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe"

    Finished!

    ** end **

    I will run ComboFix & Hijackthis logs shortly..

    Thanks for the help.

  4. #4
    Junior Member
    Join Date
    Jun 2008
    Posts
    16

    Default

    HijackThis log after execution of SDFix.exe

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:50:28 PM, on 6/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    c:\sdwork\issimsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Windows\System32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Apache2.2\bin\ApacheMonitor.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebR...=EN&prodOS=012
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>;*.local
    O2 - BHO: (no name) - {015E5C2A-EEC6-4B0E-9A44-D100D8CCC692} - C:\WINDOWS\system32\rqRHywww.dll (file missing)
    O2 - BHO: {dd66e97e-ac92-95ca-5d64-3ea39abcac11} - {11cacba9-3ae3-46d5-ac59-29cae79e66dd} - C:\WINDOWS\system32\dvstsduu.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {60AEF539-1414-4AEA-940A-4C5D2E3789B3} - C:\WINDOWS\system32\awtsPJAt.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: (no name) - {8A946FDC-B8FD-424D-9C26-921532400815} - C:\WINDOWS\system32\awttQIcY.dll (file missing)
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O2 - BHO: (no name) - {F4D7412D-51CF-42C5-BEBD-EB02C0143DD7} - C:\WINDOWS\system32\fccBrSlk.dll (file missing)
    O2 - BHO: (no name) - {FC9335C7-FF3F-4035-8C13-AF7CD65CF801} - C:\WINDOWS\system32\ssqNGApm.dll (file missing)
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
    O4 - HKLM\..\Run: [08ff8e63] rundll32.exe "C:\WINDOWS\system32\drhxpcby.dll",b
    O4 - HKLM\..\Run: [BM0bccbdff] Rundll32.exe "C:\WINDOWS\system32\lfurxqwe.dll",s
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [DownloadGrid] C:\Program Files\Java\j2re1.4.2_08\javaws\javaws.exe http://downloadgrid.webahead.ibm.com...nt/JNLPWrapper
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [VoIP_SoftPhone] C:\Program Files\VoIP\SoftPhone\voip_softphone.exe
    O4 - HKCU\..\Run: [ctfmon] C:\Windows\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2.2\bin\ApacheMonitor.exe
    O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\system32\sndvol32.exe
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS..._mt_helens_oct
    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www2.snapfish.com/SnapfishOutlookImport.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: IBM Agent Controller - ECLIPSE - C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_localhost_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_localhost_server1) - Unknown owner - c:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)

    --
    End of file - 14899 bytes

  5. #5
    Junior Member
    Join Date
    Jun 2008
    Posts
    16

    Default

    Hi,

    I was not able to download the ComboFix.exe from the links frommy infected computer.

    I download them from another one copied them onto the infected computer using a USB thumb drive. When I click on ComboFix.exe I do not see any prompts and nothing is hapenning.

    I ran SpyBot S&D again, it is showing "CommandService", Virtumondo, Virtumondo.dll.. (before I could fix them my laptop shutdown as it got heatup).

    I will run spybot s&d, then after fixing the problems will try ComboFix again. let me know if you want me to try something else

    Thanks.

  6. #6
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi aditya369,

    thanks for the info. you can try renaming the combofix icon to like scanme or something. if that dosnt work you can boot into safe mode to run it. to reach safe mode you would tap the f8 key during a computer restart. chose the first option from the list: safe mode. see if one of those options works.
    How Can I Reduce My Risk?

  7. #7
    Junior Member
    Join Date
    Jun 2008
    Posts
    16

    Default

    Hi Shelf Life,

    I re-ran SpyBot S&D, in safemode. It could not cleanup couple of registry entries related to CommandService.

    After rebooting, I ran ComboFix.exe after renaming it to a different name.

    Here is the ComboFix.exe log.

    ComboFix 08-06-01.6 - Venkata Vedantham 2008-06-04 1:00:34.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.714 [GMT -7:00]
    Running from: C:\Tools\Prakash.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Venkata Vedantham\Application Data\macromedia\Flash Player\#SharedObjects\TQ5KKL6A\www.broadcaster.com
    C:\Documents and Settings\Venkata Vedantham\Application Data\macromedia\Flash Player\#SharedObjects\TQ5KKL6A\www.broadcaster.com\played_list.sol
    C:\Documents and Settings\Venkata Vedantham\Application Data\macromedia\Flash Player\#SharedObjects\TQ5KKL6A\www.broadcaster.com\video_queue.sol
    C:\Documents and Settings\Venkata Vedantham\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\Documents and Settings\Venkata Vedantham\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
    C:\WINDOWS\BM0bccbdff.xml
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\mainms.vpi
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\akhxldns.ini
    C:\WINDOWS\system32\Cache
    C:\WINDOWS\system32\clbdll.dll
    C:\WINDOWS\system32\clbinit.dll
    C:\WINDOWS\system32\drivers\clbdriver.sys
    C:\WINDOWS\system32\gmynatrh.ini
    C:\WINDOWS\system32\hgnhsksc.ini
    C:\WINDOWS\system32\hvyikbci.ini
    C:\WINDOWS\system32\JikknUtv.ini2
    C:\WINDOWS\system32\klSrBccf.ini
    C:\WINDOWS\system32\klSrBccf.ini2
    C:\WINDOWS\system32\mpAGNqss.ini
    C:\WINDOWS\system32\mpAGNqss.ini2
    C:\WINDOWS\system32\MSINET.oca
    C:\WINDOWS\system32\owowtjuj.ini
    C:\WINDOWS\system32\pkbreaaq.ini
    C:\WINDOWS\system32\racle~1
    C:\WINDOWS\system32\tAJPstwa.ini
    C:\WINDOWS\system32\tAJPstwa.ini2
    C:\WINDOWS\system32\uhhouakd.ini
    C:\WINDOWS\system32\wjvaasjn.ini
    C:\WINDOWS\system32\wwwyHRqr.ini
    C:\WINDOWS\system32\wwwyHRqr.ini2
    C:\WINDOWS\system32\xyGhNUvw.ini
    C:\WINDOWS\system32\xyGhNUvw.ini2
    C:\WINDOWS\system32\ybcpxhrd.ini
    C:\WINDOWS\system32\YcIQttwa.ini
    C:\WINDOWS\system32\YcIQttwa.ini2
    W:\Autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_CLBDRIVER
    -------\Legacy_CMDSERVICE
    -------\Legacy_IPRIP
    -------\Legacy_MSSECURITY1.209.4
    -------\Legacy_NETWORK_MONITOR
    -------\Service_cmdService
    -------\Service_Iprip


    ((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
    .

    2008-06-01 17:43 . 2008-06-01 17:43 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-06-01 17:39 . 2008-06-01 17:39 <DIR> d-------- C:\SDFix
    2008-06-01 17:25 . 2008-06-04 00:58 <DIR> d-------- C:\Tools
    2008-05-31 20:26 . 2008-05-31 20:27 <DIR> d-------- C:\Program Files\Trend Micro
    2008-05-31 03:00 . 2008-06-03 02:19 211 --a------ C:\WINDOWS\wininit.ini
    2008-05-31 02:22 . 2008-05-31 02:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-05-31 02:22 . 2008-05-31 02:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-05-30 23:45 . 2008-06-04 01:25 2,206 --a------ C:\WINDOWS\system32\wpa.dbl
    2008-05-27 03:31 . 2004-11-21 21:35 <DIR> d-------- C:\Documents and Settings\SRINIVAS\ASPNET\Application Data\Symantec
    2008-05-27 03:31 . 2004-11-21 21:23 <DIR> d-------- C:\Documents and Settings\SRINIVAS\ASPNET\Application Data\Sonic
    2008-05-27 03:31 . 2004-11-21 21:34 <DIR> d-------- C:\Documents and Settings\SRINIVAS\ASPNET\Application Data\Apple Computer
    2008-05-27 03:30 . 2008-05-27 03:31 <DIR> d-------- C:\Documents and Settings\SRINIVAS\ASPNET
    2008-05-27 03:30 . 2008-05-27 03:30 <DIR> d-------- C:\Documents and Settings\SRINIVAS
    2008-05-26 22:55 . 2008-05-27 02:09 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-05-26 22:27 . 2008-05-26 22:27 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-05-26 22:27 . 2008-05-26 22:27 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-05-26 22:27 . 2008-05-26 22:27 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-05-26 22:26 . 2008-05-26 22:26 <DIR> d-------- C:\Program Files\AVG
    2008-05-26 22:26 . 2008-05-26 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
    2008-05-26 20:39 . 2008-05-26 22:41 <DIR> d-------- C:\Documents and Settings\Venkata Vedantham\Application Data\AVGTOOLBAR
    2008-05-26 17:49 . 2008-05-26 17:49 <DIR> d-------- C:\ba63d1fd0809d5f8182811
    2008-05-26 17:36 . 2008-05-26 17:36 <DIR> d-------- C:\5de4fe4ae237e10fcbc3ec976b50
    2008-05-24 17:01 . 2008-05-24 17:04 <DIR> d-------- C:\Program Files\Windows Live Safety Center
    2008-05-24 16:19 . 2008-05-24 16:39 <DIR> d--hs---- C:\WINDOWS\VmVua2F0YSBWZWRhbnRoYW0
    2008-05-24 07:24 . 2008-05-24 07:24 130,048 -r-hs---- C:\WINDOWS\system32\adsntb.exe
    2008-05-24 07:24 . 2004-08-04 01:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
    2008-05-16 16:48 . 2008-05-16 16:48 <DIR> d-------- C:\ed94d20ae860205594b200c0c073

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-04 06:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-05-27 12:38 --------- d-----w C:\Program Files\DivX
    2008-05-27 05:41 --------- d-----w C:\Program Files\Google
    2008-05-27 05:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-04-20 17:35 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
    2008-04-16 03:56 --------- d-----w C:\Documents and Settings\Venkata Vedantham\Application Data\U3
    2008-04-15 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-04-15 04:36 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-04-15 04:12 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
    2008-01-21 17:22 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2005-07-18 07:47 954 ----a-w C:\Documents and Settings\Venkata Vedantham\Application Data\wklnhst.dat
    2007-05-23 02:14 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
    2007-05-23 02:17 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
    2005-07-29 23:24 472 --sha-r C:\WINDOWS\VmVua2F0YSBWZWRhbnRoYW0\pApRuZIXsm1qtql1vBlCsqX.vbs
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{015E5C2A-EEC6-4B0E-9A44-D100D8CCC692}]
    C:\WINDOWS\system32\rqRHywww.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11cacba9-3ae3-46d5-ac59-29cae79e66dd}]
    C:\WINDOWS\system32\dvstsduu.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A946FDC-B8FD-424D-9C26-921532400815}]
    C:\WINDOWS\system32\awttQIcY.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
    2008-05-26 22:27 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4D7412D-51CF-42C5-BEBD-EB02C0143DD7}]
    C:\WINDOWS\system32\fccBrSlk.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC9335C7-FF3F-4035-8C13-AF7CD65CF801}]
    C:\WINDOWS\system32\ssqNGApm.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-26 22:27 2050816]

    [HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
    [HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-26 22:27 2050816]

    [HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
    [HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIEW"="nview.dll" [2004-04-07 12:22 868421 C:\WINDOWS\system32\nview.dll]
    "Sonic RecordNow!"="" []
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]
    "DownloadGrid"="C:\Program Files\Java\j2re1.4.2_08\javaws\javaws.exe" [2005-03-04 19:49 135168]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 15:32 68856]
    "VoIP_SoftPhone"="C:\Program Files\VoIP\SoftPhone\voip_softphone.exe" [ ]
    "Microsoft Windows Installer"="" []
    "ctfmon"="C:\Windows\System32\ctfmon.exe" [2004-08-04 01:00 15360]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 20:40 159744]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-09-03 05:52 88363 C:\WINDOWS\AGRSMMSG.exe]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 12:22 4730880]
    "nwiz"="nwiz.exe" [2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe]
    "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05 200766]
    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe" [2005-03-04 20:01 32881]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
    "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-08-19 12:50 290816]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-02-24 23:23 95960]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-15 01:44 180269]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 12:31 29696 C:\WINDOWS\KHALMNPR.Exe]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02 67184]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
    "stgclean"="c:\sdwork\w32main2.exe" [2006-11-27 07:33 260608]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-08 02:26 282624]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
    "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
    "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
    "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
    "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
    "MsmqIntCert"="regsvr32 /s mqrt.dll" []
    "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 10:20 63048]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-26 22:26 1177368]
    "ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [2006-12-05 09:05 203264]
    "08ff8e63"="C:\WINDOWS\system32\drhxpcby.dll" [ ]
    "BM0bccbdff"="C:\WINDOWS\system32\lfurxqwe.dll" [ ]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 15:32 68856]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
    BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 17:48:22 565309]
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-15 02:03:18 125624]
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2005-07-15 11:03:42 581632]
    Monitor Apache Servers.lnk - C:\Apache2.2\bin\ApacheMonitor.exe [2006-04-29 18:33:42 41041]
    Volume Control.lnk - C:\WINDOWS\system32\sndvol32.exe [2007-08-29 21:26:40 138752]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.SP62"= SP6X_32.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\scJ64.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgN42.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\sdwork\\w32main2.exe"=
    "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
    "C:\\WINDOWS\\system32\\mshta.exe"=
    "C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\SkillSoft\\jre\\bin\\javaw.exe"=
    "C:\\work\\Apache Software Foundation\\Tomcat 5.0\\bin\\tomcat5.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "C:\\WINDOWS\\system32\\dpvsetup.exe"=
    "C:\\WINDOWS\\system32\\java.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "C:\\WINDOWS\\system32\\mqsvc.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\Program Files\\VoIP\\Communicator\\Communicator.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "C:\\Apache2.2\\bin\\httpd.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3587:TCP"= 3587:TCP:*:Disabled:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:*:Disabled:Peer Name Resolution Protocol (PNRP)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-26 22:27]
    R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-26 22:26]
    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-26 22:26]
    R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-26 22:27]
    R2 IBM Agent Controller;IBM Agent Controller;C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe [2004-04-16 13:40]
    R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-09-12 10:21]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 10:20]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
    S0 scJ64;scJ64;C:\WINDOWS\system32\Drivers\scJ64.sys []
    S0 vgN42;vgN42;C:\WINDOWS\system32\Drivers\vgN42.sys []
    S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48]
    S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2007-01-10 23:10]
    S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
    S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
    S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
    S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
    S3 SUNPLUS;SightCAM PC-100p;C:\WINDOWS\system32\Drivers\SPIXNEW.SYS [2002-03-07 18:21]
    S4 Apache2.2;Apache2.2;"C:\Apache2.2\bin\httpd.exe" -k runservice []
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
    S4 MySQL41;MySQL41;"C:\work\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="C:\work\MySQL\MySQL Server 4.1\my.ini" MySQL41 []
    S4 Tomcat5;Apache Tomcat;"C:\work\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\W]
    \Shell\AutoRun\command - W:\setupSNK.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7448958-536a-11dc-a586-0010c6590e77}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-19 03:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Venkata Vedantham.job"
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-04 01:26:11
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????m????|?????? ???B???????????????B? ??????

    scanning hidden files ...


    C:\WINDOWS\TEMP\d270d1ed-0cc6-4201-9bf7-9808ef01298e.tmp

    scan completed successfully
    hidden files: 1

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebSphereEmbeddedMessagingPublishAndSubscribeWAS_localhost_server1]
    "ImagePath"="c:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL41]
    "ImagePath"="\"C:\work\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\work\MySQL\MySQL Server 4.1\my.ini\" MySQL41"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebSphereEmbeddedMessagingPublishAndSubscribeWAS_localhost_server1]
    "ImagePath"="c:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\Program Files\Logitech\SetPoint\lgscroll.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\msdtc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Apoint2K\ApntEx.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
    C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2008-06-04 1:48:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-04 08:47:58

    Pre-Run: 3,886,501,888 bytes free
    Post-Run: 4,611,952,640 bytes free

    304 --- E O F --- 2008-05-17 03:33:45

  8. #8
    Junior Member
    Join Date
    Jun 2008
    Posts
    16

    Default

    Here is the HijackThis log after execution of ComboFix

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:53:02 AM, on 6/4/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    c:\sdwork\issimsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Windows\System32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Apache2.2\bin\ApacheMonitor.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebR...=EN&prodOS=012
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>;*.local
    O2 - BHO: (no name) - {015E5C2A-EEC6-4B0E-9A44-D100D8CCC692} - C:\WINDOWS\system32\rqRHywww.dll (file missing)
    O2 - BHO: {dd66e97e-ac92-95ca-5d64-3ea39abcac11} - {11cacba9-3ae3-46d5-ac59-29cae79e66dd} - C:\WINDOWS\system32\dvstsduu.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: (no name) - {8A946FDC-B8FD-424D-9C26-921532400815} - C:\WINDOWS\system32\awttQIcY.dll (file missing)
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O2 - BHO: (no name) - {F4D7412D-51CF-42C5-BEBD-EB02C0143DD7} - C:\WINDOWS\system32\fccBrSlk.dll (file missing)
    O2 - BHO: (no name) - {FC9335C7-FF3F-4035-8C13-AF7CD65CF801} - C:\WINDOWS\system32\ssqNGApm.dll (file missing)
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
    O4 - HKLM\..\Run: [08ff8e63] rundll32.exe "C:\WINDOWS\system32\drhxpcby.dll",b
    O4 - HKLM\..\Run: [BM0bccbdff] Rundll32.exe "C:\WINDOWS\system32\lfurxqwe.dll",s
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [DownloadGrid] C:\Program Files\Java\j2re1.4.2_08\javaws\javaws.exe http://downloadgrid.webahead.ibm.com...nt/JNLPWrapper
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [VoIP_SoftPhone] C:\Program Files\VoIP\SoftPhone\voip_softphone.exe
    O4 - HKCU\..\Run: [ctfmon] C:\Windows\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2.2\bin\ApacheMonitor.exe
    O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\system32\sndvol32.exe
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS..._mt_helens_oct
    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www2.snapfish.com/SnapfishOutlookImport.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: IBM Agent Controller - ECLIPSE - C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_localhost_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_localhost_server1) - Unknown owner - c:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)

    --
    End of file - 14800 bytes

  9. #9
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi aditya369,

    thanks for the info. must be running much better now i would assume.
    we will use combofix;

    Click Start, then Run and type Notepad and click OK.
    Copy/paste the text in the code box below into notepad:

    Code:
    File::
    C:\WINDOWS\system32\adsntb.exe
    C:\WINDOWS\VmVua2F0YSBWZWRhbnRoYW0\pApRuZIXsm1qtql1vBlCsqX.vbs
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{015E5C2A-EEC6-4B0E-9A44-D100D8CCC692}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11cacba9-3ae3-46d5-ac59-29cae79e66dd}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A946FDC-B8FD-424D-9C26-921532400815}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4D7412D-51CF-42C5-BEBD-EB02C0143DD7}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC9335C7-FF3F-4035-8C13-AF7CD65CF801}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "08ff8e63"="-
    "BM0bccbdff"="-
    Name the Notepad file CFScript.txt and Save it to your desktop.
    now locate the file you just saved and the combofix icon
    using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
    please post the new combofix log and a new hjt log.
    ------------------------------------------------------
    one more download to get and use:
    Please download Malwarebytes' Anti-Malware to your desktop:

    http://www.besttechie.net/tools/mbam-setup.exe

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform FULL SCAN, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

    please post the new combofix log and the malwarebytes log.
    How Can I Reduce My Risk?

  10. #10
    Junior Member
    Join Date
    Jun 2008
    Posts
    16

    Default

    Hi Shelf Life,

    I think it is sure better (I have not tried to run any other programs though). After executing the above mentioned steps, when I rebooted, there is a still a program starting up with a window title "Windows File Protection". This also looks like virus kicking off at startup.

    Here is the combofix log

    ComboFix 08-06-01.6 - Venkata Vedantham 2008-06-04 22:26:00.2 - NTFSx86
    Running from: C:\Tools\Prakash.exe
    Command switches used :: C:\Tools\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\system32\adsntb.exe
    C:\WINDOWS\VmVua2F0YSBWZWRhbnRoYW0\pApRuZIXsm1qtql1vBlCsqX.vbs
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Venkata Vedantham\Local Settings\Temporary Internet Files\bestwiner.stt
    C:\WINDOWS\system32\adsntb.exe
    C:\WINDOWS\VmVua2F0YSBWZWRhbnRoYW0\pApRuZIXsm1qtql1vBlCsqX.vbs

    .
    ((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
    .

    2008-06-01 17:43 . 2008-06-01 17:43 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-06-01 17:39 . 2008-06-01 17:39 <DIR> d-------- C:\SDFix
    2008-06-01 17:25 . 2008-06-04 22:25 <DIR> d-------- C:\Tools
    2008-05-31 20:26 . 2008-05-31 20:27 <DIR> d-------- C:\Program Files\Trend Micro
    2008-05-31 03:00 . 2008-06-03 02:19 211 --a------ C:\WINDOWS\wininit.ini
    2008-05-31 02:22 . 2008-05-31 02:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-05-31 02:22 . 2008-05-31 02:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-05-30 23:45 . 2008-06-04 01:25 2,206 --a------ C:\WINDOWS\system32\wpa.dbl
    2008-05-27 03:31 . 2004-11-21 21:35 <DIR> d-------- C:\Documents and Settings\SRINIVAS\ASPNET\Application Data\Symantec
    2008-05-27 03:31 . 2004-11-21 21:23 <DIR> d-------- C:\Documents and Settings\SRINIVAS\ASPNET\Application Data\Sonic
    2008-05-27 03:31 . 2004-11-21 21:34 <DIR> d-------- C:\Documents and Settings\SRINIVAS\ASPNET\Application Data\Apple Computer
    2008-05-27 03:30 . 2008-05-27 03:31 <DIR> d-------- C:\Documents and Settings\SRINIVAS\ASPNET
    2008-05-27 03:30 . 2008-05-27 03:30 <DIR> d-------- C:\Documents and Settings\SRINIVAS
    2008-05-26 22:55 . 2008-05-27 02:09 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-05-26 22:27 . 2008-05-26 22:27 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-05-26 22:27 . 2008-05-26 22:27 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-05-26 22:27 . 2008-05-26 22:27 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-05-26 22:26 . 2008-05-26 22:26 <DIR> d-------- C:\Program Files\AVG
    2008-05-26 22:26 . 2008-05-26 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
    2008-05-26 20:39 . 2008-05-26 22:41 <DIR> d-------- C:\Documents and Settings\Venkata Vedantham\Application Data\AVGTOOLBAR
    2008-05-26 17:49 . 2008-05-26 17:49 <DIR> d-------- C:\ba63d1fd0809d5f8182811
    2008-05-26 17:36 . 2008-05-26 17:36 <DIR> d-------- C:\5de4fe4ae237e10fcbc3ec976b50
    2008-05-24 17:01 . 2008-05-24 17:04 <DIR> d-------- C:\Program Files\Windows Live Safety Center
    2008-05-24 16:19 . 2008-06-04 22:26 <DIR> d--hs---- C:\WINDOWS\VmVua2F0YSBWZWRhbnRoYW0
    2008-05-24 07:24 . 2004-08-04 01:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
    2008-05-16 16:48 . 2008-05-16 16:48 <DIR> d-------- C:\ed94d20ae860205594b200c0c073

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-04 06:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-05-27 12:38 --------- d-----w C:\Program Files\DivX
    2008-05-27 05:41 --------- d-----w C:\Program Files\Google
    2008-05-27 05:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-04-20 17:35 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
    2008-04-16 03:56 --------- d-----w C:\Documents and Settings\Venkata Vedantham\Application Data\U3
    2008-04-15 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-04-15 04:36 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-04-15 04:12 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
    2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
    2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
    2008-01-21 17:22 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2005-07-18 07:47 954 ----a-w C:\Documents and Settings\Venkata Vedantham\Application Data\wklnhst.dat
    2007-05-23 02:14 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
    2007-05-23 02:17 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
    2008-05-26 22:27 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-26 22:27 2050816]

    [HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
    [HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-26 22:27 2050816]

    [HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
    [HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIEW"="nview.dll" [2004-04-07 12:22 868421 C:\WINDOWS\system32\nview.dll]
    "Sonic RecordNow!"="" []
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]
    "DownloadGrid"="C:\Program Files\Java\j2re1.4.2_08\javaws\javaws.exe" [2005-03-04 19:49 135168]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 15:32 68856]
    "VoIP_SoftPhone"="C:\Program Files\VoIP\SoftPhone\voip_softphone.exe" [ ]
    "Microsoft Windows Installer"="" []
    "ctfmon"="C:\Windows\System32\ctfmon.exe" [2004-08-04 01:00 15360]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 20:40 159744]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-09-03 05:52 88363 C:\WINDOWS\AGRSMMSG.exe]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 12:22 4730880]
    "nwiz"="nwiz.exe" [2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe]
    "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05 200766]
    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe" [2005-03-04 20:01 32881]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
    "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-08-19 12:50 290816]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-02-24 23:23 95960]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-15 01:44 180269]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 12:31 29696 C:\WINDOWS\KHALMNPR.Exe]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02 67184]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
    "stgclean"="c:\sdwork\w32main2.exe" [2006-11-27 07:33 260608]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-08 02:26 282624]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
    "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
    "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
    "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
    "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
    "MsmqIntCert"="regsvr32 /s mqrt.dll" []
    "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 10:20 63048]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-26 22:26 1177368]
    "ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [2006-12-05 09:05 203264]
    "08ff8e63"="C:\WINDOWS\system32\drhxpcby.dll" [ ]
    "BM0bccbdff"="C:\WINDOWS\system32\lfurxqwe.dll" [ ]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 15:32 68856]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
    BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 17:48:22 565309]
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-15 02:03:18 125624]
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2005-07-15 11:03:42 581632]
    Monitor Apache Servers.lnk - C:\Apache2.2\bin\ApacheMonitor.exe [2006-04-29 18:33:42 41041]
    Volume Control.lnk - C:\WINDOWS\system32\sndvol32.exe [2007-08-29 21:26:40 138752]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.SP62"= SP6X_32.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\scJ64.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgN42.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\sdwork\\w32main2.exe"=
    "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
    "C:\\WINDOWS\\system32\\mshta.exe"=
    "C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\SkillSoft\\jre\\bin\\javaw.exe"=
    "C:\\work\\Apache Software Foundation\\Tomcat 5.0\\bin\\tomcat5.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "C:\\WINDOWS\\system32\\dpvsetup.exe"=
    "C:\\WINDOWS\\system32\\java.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "C:\\WINDOWS\\system32\\mqsvc.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\Program Files\\VoIP\\Communicator\\Communicator.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "C:\\Apache2.2\\bin\\httpd.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3587:TCP"= 3587:TCP:*:Disabled:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:*:Disabled:Peer Name Resolution Protocol (PNRP)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-26 22:27]
    R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-26 22:26]
    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-26 22:26]
    R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-26 22:27]
    R2 IBM Agent Controller;IBM Agent Controller;C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe [2004-04-16 13:40]
    R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-09-12 10:21]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 10:20]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
    S0 scJ64;scJ64;C:\WINDOWS\system32\Drivers\scJ64.sys []
    S0 vgN42;vgN42;C:\WINDOWS\system32\Drivers\vgN42.sys []
    S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48]
    S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2007-01-10 23:10]
    S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
    S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
    S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
    S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
    S3 SUNPLUS;SightCAM PC-100p;C:\WINDOWS\system32\Drivers\SPIXNEW.SYS [2002-03-07 18:21]
    S4 Apache2.2;Apache2.2;"C:\Apache2.2\bin\httpd.exe" -k runservice []
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
    S4 MySQL41;MySQL41;"C:\work\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="C:\work\MySQL\MySQL Server 4.1\my.ini" MySQL41 []
    S4 Tomcat5;Apache Tomcat;"C:\work\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\W]
    \Shell\AutoRun\command - W:\setupSNK.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7448958-536a-11dc-a586-0010c6590e77}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-19 03:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Venkata Vedantham.job"
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-04 22:32:58
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????m????|?????? ???B???????????????B? ??????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WebSphereEmbeddedMessagingPublishAndSubscribeWAS_localhost_server1]
    "ImagePath"="c:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe"

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL41]
    "ImagePath"="\"C:\work\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\work\MySQL\MySQL Server 4.1\my.ini\" MySQL41"

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WebSphereEmbeddedMessagingPublishAndSubscribeWAS_localhost_server1]
    "ImagePath"="c:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe"
    .
    Completion time: 2008-06-04 22:47:13
    ComboFix-quarantined-files.txt 2008-06-05 05:46:31
    ComboFix2.txt 2008-06-04 08:48:11

    Pre-Run: 4,608,782,336 bytes free
    Post-Run: 4,593,557,504 bytes free

    225 --- E O F --- 2008-05-17 03:33:45


    HiJack this log after executing combofix.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:53:27 PM, on 6/4/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    c:\sdwork\issimsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Windows\System32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Apache2.2\bin\ApacheMonitor.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\explorer.exe
    C:\Tools\mbam-setup.exe
    C:\DOCUME~1\VENKAT~1\LOCALS~1\Temp\is-CGV9C.tmp\mbam-setup.tmp
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebR...=EN&prodOS=012
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>;*.local
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
    O4 - HKLM\..\Run: [08ff8e63] rundll32.exe "C:\WINDOWS\system32\drhxpcby.dll",b
    O4 - HKLM\..\Run: [BM0bccbdff] Rundll32.exe "C:\WINDOWS\system32\lfurxqwe.dll",s
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [DownloadGrid] C:\Program Files\Java\j2re1.4.2_08\javaws\javaws.exe http://downloadgrid.webahead.ibm.com...nt/JNLPWrapper
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [VoIP_SoftPhone] C:\Program Files\VoIP\SoftPhone\voip_softphone.exe
    O4 - HKCU\..\Run: [ctfmon] C:\Windows\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache2.2\bin\ApacheMonitor.exe
    O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\system32\sndvol32.exe
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS..._mt_helens_oct
    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www2.snapfish.com/SnapfishOutlookImport.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: IBM Agent Controller - ECLIPSE - C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_localhost_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_localhost_server1) - Unknown owner - c:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)

    --
    End of file - 14233 bytes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •