Help Required malware problem

U

usa_lion

New member
Hi,

Please help , I am getting the pop ups continously . Below is the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57, on 2007-07-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Credant.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Ssmmlma] "C:\Documents and Settings\PKumar\My Documents\a?sembly\w?crtupd.exe"
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hphc.org
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tibcoevents.webex.com/client/T23LSP33EP10/event/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O17 - HKLM\Software\..\Telephony: DomainName = EHEALTH.HPHC.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: TIBCO BusinessFactor 5.1 Embedded DB Manager (bf51ttsrv51.exe) - Unknown owner - C:/tibco/bf/5.1/db/bin/ttsrv51.exe
O23 - Service: CMG Shield (CMGShield) - Credant Technologies, Inc. - C:\WINDOWS\system32\Credant.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\orantdata\bin\omtsreco.exe
O23 - Service: OracleORACLE9_HOMEPagingServer - Unknown owner - C:\orantdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTAgent - Oracle Corporation - C:\oranthphcdata\bin\agntsrvc.exe
O23 - Service: OracleORACLE_INCONCERTClientCache - Unknown owner - C:\oranthphcdata\BIN\ONRSD.EXE
O23 - Service: OracleORACLE_INCONCERTHTTPServer - Unknown owner - C:\oranthphcdata\Apache\Apache\apache.exe
O23 - Service: OracleORACLE_INCONCERTPagingServer - Unknown owner - C:\oranthphcdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTSNMPPeerEncapsulator - Unknown owner - C:\oranthphcdata\BIN\ENCSVC.EXE
O23 - Service: OracleORACLE_INCONCERTSNMPPeerMasterAgent - Unknown owner - C:\oranthphcdata\BIN\AGNTSVC.EXE
O23 - Service: OracleORACLE_INCONCERTTNSListener - Unknown owner - C:\oranthphcdata\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINCON - Oracle Corporation - c:\oranthphcdata\bin\ORACLE.EXE
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Intranet Server Client (SicltNT) - Apsynet - C:\WINDOWS\SYSTEM32\SICLT32.EXE
O23 - Service: TIBCO Administrator 5.2 (GHPHC) (TIBCOAdmin-GHPHC) - Unknown owner - C:/tibco/administrator/5.2/bin/tibcoadmin_GHPHC.exe
O23 - Service: TIBCO EMS Server (tibemsd) - Unknown owner - C:\tibco\ems\bin\emsntsct.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (GHPHC) (TIBHawkAgent-GHPHC) - Unknown owner - C:/tibco/tra/domain/GHPHC/hawkagent_GHPHC.exe
O23 - Service: TIBCO Hawk Event (TIBHawkEvent) - Unknown owner - C:\tibco\hawk\bin\tibhawkeventnt.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: TIBCO BusinessWorks Collaborator Document Repository Server Primary_Server_Name (TIBInConcert Repository Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icrepdaemon.exe
O23 - Service: TIBCO BusinessWorks Collaborator Workflow Server Primary_Server_Name (TIBInConcert Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icservmain.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 7950 bytes
 
Hi usa_lion

Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :)
 
Hi Shaba,

I would like to thank you for the reply .
Below is the log after renaming HijackThis.exe to scanner.exe .


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:50, on 2007-07-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Credant.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\SICLT32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\lnnbwkmk.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Ssmmlma] "C:\Documents and Settings\PKumar\My Documents\a?sembly\w?crtupd.exe"
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hphc.org
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tibcoevents.webex.com/client/T23LSP33EP10/event/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O17 - HKLM\Software\..\Telephony: DomainName = EHEALTH.HPHC.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O20 - Winlogon Notify: CredNP - C:\WINDOWS\SYSTEM32\CredNP.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: TIBCO BusinessFactor 5.1 Embedded DB Manager (bf51ttsrv51.exe) - Broadcom Corporation - (no file)
O23 - Service: CMG Shield (CMGShield) - Credant Technologies, Inc. - C:\WINDOWS\system32\Credant.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\orantdata\bin\omtsreco.exe
O23 - Service: OracleORACLE9_HOMEPagingServer - Unknown owner - C:\orantdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTAgent - Oracle Corporation - C:\oranthphcdata\bin\agntsrvc.exe
O23 - Service: OracleORACLE_INCONCERTClientCache - Unknown owner - C:\oranthphcdata\BIN\ONRSD.EXE
O23 - Service: OracleORACLE_INCONCERTHTTPServer - Unknown owner - C:\oranthphcdata\Apache\Apache\apache.exe
O23 - Service: OracleORACLE_INCONCERTPagingServer - Unknown owner - C:\oranthphcdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTSNMPPeerEncapsulator - Unknown owner - C:\oranthphcdata\BIN\ENCSVC.EXE
O23 - Service: OracleORACLE_INCONCERTSNMPPeerMasterAgent - Unknown owner - C:\oranthphcdata\BIN\AGNTSVC.EXE
O23 - Service: OracleORACLE_INCONCERTTNSListener - Unknown owner - C:\oranthphcdata\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINCON - Oracle Corporation - c:\oranthphcdata\bin\ORACLE.EXE
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Intranet Server Client (SicltNT) - Apsynet - C:\WINDOWS\SYSTEM32\SICLT32.EXE
O23 - Service: TIBCO Administrator 5.2 (GHPHC) (TIBCOAdmin-GHPHC) - Unknown owner - C:/tibco/administrator/5.2/bin/tibcoadmin_GHPHC.exe
O23 - Service: TIBCO EMS Server (tibemsd) - Unknown owner - C:\tibco\ems\bin\emsntsct.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (GHPHC) (TIBHawkAgent-GHPHC) - Unknown owner - C:/tibco/tra/domain/GHPHC/hawkagent_GHPHC.exe
O23 - Service: TIBCO Hawk Event (TIBHawkEvent) - Unknown owner - C:\tibco\hawk\bin\tibhawkeventnt.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: TIBCO BusinessWorks Collaborator Document Repository Server Primary_Server_Name (TIBInConcert Repository Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icrepdaemon.exe
O23 - Service: TIBCO BusinessWorks Collaborator Workflow Server Primary_Server_Name (TIBInConcert Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icservmain.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 8153 bytes

Waiting for your reply.
Thanks
 
Hi

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\SYSTEM32\CredNP.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
 
Hi Shaba,

Below is the result after scan on virustotal



Antivirus Version Last Update Result
AhnLab-V3 2007.7.28.0 2007.07.30 -
AntiVir 7.4.0.50 2007.07.30 -
Authentium 4.93.8 2007.07.27 -
Avast 4.7.997.0 2007.07.30 -
AVG 7.5.0.476 2007.07.30 -
BitDefender 7.2 2007.07.30 -
CAT-QuickHeal 9.00 2007.07.28 -
ClamAV 0.91 2007.07.30 -
DrWeb 4.33 2007.07.30 -
eSafe 7.0.15.0 2007.07.29 -
eTrust-Vet 31.1.5016 2007.07.30 -
Ewido 4.0 2007.07.30 -
FileAdvisor 1 2007.07.30 -
Fortinet 2.91.0.0 2007.07.30 -
F-Prot 4.3.2.48 2007.07.27 -
F-Secure 6.70.13030.0 2007.07.30 -
Ikarus T3.1.1.8 2007.07.30 -
Kaspersky 4.0.2.24 2007.07.30 -
McAfee 5085 2007.07.27 -
Microsoft 1.2704 2007.07.30 -
NOD32v2 2428 2007.07.30 -
Norman 5.80.02 2007.07.30 -
Panda 9.0.0.4 2007.07.29 -
Rising 19.34.02.00 2007.07.30 -
Prevx1 V2 2007.07.30 -
Sophos 4.19.0 2007.07.26 -
Sunbelt 2.2.907.0 2007.07.28 -
Symantec 10 2007.07.30 -
TheHacker 6.1.7.158 2007.07.30 -
VBA32 3.12.2.1 2007.07.30 -
VirusBuster 4.3.26:9 2007.07.30 -
Webwasher-Gateway 6.0.1 2007.07.30 -
Additional information
File size: 155725 bytes
MD5: 514c75efb1aec585ec25bee42b51ebc2
SHA1: 3fc2127a603f94d615606f53f2ced44acb201172

Thanks
 
Hi

Ok, clean as expected :)

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
 
Hi Shaba,

Below are the logs , as I am getting "The text that you have entered is too long (22819 characters). Please shorten it to 20000 characters long" , I am posting the logs in two post.

Combofix log



ComboFix 07-07-30.2 - "Pkumar" 2007-07-30 8:52:51.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\lnnbwkmk.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))


2007-07-29 20:54 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-29 20:53 <DIR> d-------- C:\DOCUME~1\PKumar\APPLIC~1\Simply Super Software
2007-07-29 20:22 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 19:16 <DIR> d-------- C:\Program Files\SpywareGuard
2007-07-29 07:14 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-07-29 07:06 <DIR> d-------- C:\KAV
2007-07-28 20:36 13,998 --a------ C:\dnsbak.reg
2007-07-26 14:24 <DIR> d-------- C:\Temp\brr
2007-07-26 14:24 <DIR> d-------- C:\Temp\0c2
2007-07-23 07:08 45,056 --a------ C:\WINDOWS\system32\iprntlgn.exe
2007-07-23 07:08 32,768 --a------ C:\WINDOWS\system32\nipplgex.dll
2007-07-08 20:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-06-27 11:03 99,840 --a------ C:\WINDOWS\system32\Zipdll.dll
2007-06-27 11:03 94,208 --a------ C:\WINDOWS\system32\Unzdll.dll
2007-06-27 11:03 78,848 --a------ C:\WINDOWS\system32\IC32.DLL
2007-06-27 11:03 77,824 --a------ C:\WINDOWS\system32\msbind.dll
2007-06-27 11:03 66,560 --a------ C:\WINDOWS\system32\Txtls32.dll
2007-06-27 11:03 640,512 --a------ C:\WINDOWS\system32\OC30.DLL
2007-06-27 11:03 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-27 11:03 570,128 --a------ C:\WINDOWS\system32\dao350.dll
2007-06-27 11:03 48,128 --a------ C:\WINDOWS\system32\Wndtls32.dll
2007-06-27 11:03 430,080 --a------ C:\WINDOWS\system32\Msrepl35.dll
2007-06-27 11:03 348,672 --a------ C:\WINDOWS\system32\txobj32.dll
2007-06-27 11:03 314,880 --a------ C:\WINDOWS\system32\Tx32.dll
2007-06-27 11:03 299,008 --a------ C:\WINDOWS\system32\MSDBRPTR.DLL
2007-06-27 11:03 262,144 --a------ C:\WINDOWS\system32\msrd2x35.dll
2007-06-27 11:03 24,848 --a------ C:\WINDOWS\system32\msjter35.dll
2007-06-27 11:03 230,912 --a------ C:\WINDOWS\system32\Zipit.dll
2007-06-27 11:03 137,216 --a------ C:\WINDOWS\system32\MSDERUN.DLL
2007-06-27 11:03 123,664 --a------ C:\WINDOWS\system32\msjint35.dll
2007-06-27 11:03 1,050,896 --a------ C:\WINDOWS\system32\Msjet35.dll
2007-06-26 10:21 <DIR> d-------- C:\BWEDU
2007-06-26 08:30 <DIR> d-------- C:\DOCUME~1\PKumar\APPLIC~1\.purple
2007-06-26 08:29 <DIR> d-------- C:\Program Files\Pidgin
2007-06-21 15:05 <DIR> d-------- C:\jakarta-jmeter-2.2
2007-06-20 09:44 <DIR> d-------- C:\Program Files\Reflection
2007-06-20 09:44 <DIR> d-------- C:\Program Files\Lotus
2007-06-20 09:44 <DIR> d-------- C:\Program Files\Common Files\Lotus
2007-06-08 08:04 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2007-06-08 08:04 <DIR> d-------- C:\Program Files\Business Objects
2007-06-08 08:03 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-08 08:03 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2007-06-08 08:02 <DIR> d-------- C:\Temp\remedy_7_0
2007-06-04 11:14 <DIR> d-------- C:\Program Files\Trillian
2007-06-01 16:20 <DIR> d-------- C:\DOCUME~1\PKumar\.hawk


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 07:48 --------- d-------- C:\DOCUME~1\PKumar\APPLIC~1\.gaim
2007-07-29 20:53 --------- d-------- C:\Program Files\PowerArchiver
2007-07-29 07:08 --------- d-------- C:\Program Files\Network Associates
2007-07-26 14:49 --------- d-------- C:\Program Files\Online Services
2007-07-23 17:25 --------- d-------- C:\Program Files\PLSQL Developer
2007-06-26 08:31 --------- d-------- C:\DOCUME~1\PKumar\APPLIC~1\.purple
2007-06-08 21:27 --------- d-------- C:\Program Files\DivX
2007-06-08 08:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-05-09 15:00 186443 --a------ C:\WINDOWS\system32\atasnt40.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-08-31 16:50]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 10:37 C:\WINDOWS\system32\nwtray.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-09 20:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ssmmlma"="C:\Documents and Settings\PKumar\My Documents\a?sembly\w?crtupd.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NalView.exe [2004-06-15 21:03:42]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-11-16 14:03:35]
D-Link AirPlus G Wireless Utility.lnk - C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe [2005-10-04 18:23:04]
GKProbe.lnk - C:\Program Files\Credant\Gatekeeper\GKProbe.exe [2006-03-22 21:13:30]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)
"SynchronousMachineGroupPolicy"=1 (0x1)
"SynchronousUserGroupPolicy"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"DisallowRun"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"=ds-rwe.exe
"2"=jusched.exe
"3"=kazaa.exe
"4"=limewirewin.exe
"5"=ssl32dr.exe
"6"=windde32.exe
"7"=winlog.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [2004-06-15 21:03 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CredNP]
CredNP.dll 2006-11-01 19:19 155725 C:\WINDOWS\system32\CredNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 2004-10-01 14:32 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-10-31 12:01 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-794644517-2594211187-3292303677-398323\Scripts\Logon\0\0]
"Script"=\\EHEALTH.HPHC.ORG\SysVol\EHEALTH.HPHC.ORG\scripts\LoginCheckAIM-PROD.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-794644517-2594211187-3292303677-9889\Scripts\Logon\0\0]
"Script"=\\EHEALTH.HPHC.ORG\SysVol\EHEALTH.HPHC.ORG\scripts\LoginCheckAIM-PROD.vbe

R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R0 Gernuwa;Gernuwa;C:\WINDOWS\system32\drivers\Gernuwa.sys
R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\system32\drivers\nicm.sys
R0 NWFILTER;Novell UNC Path Filter;C:\WINDOWS\system32\NetWare\nwfilter.sys
R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys
R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys
R2 BthServ;Bluetooth Support Service;C:\WINDOWS\system32\svchost.exe -k bthsvcs
R2 CMGShield;CMG Shield;C:\WINDOWS\system32\Credant.exe
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 guardian;CREDANT Mobile Guardian Gatekeeper;"C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe"
R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\system32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\system32\NetWare\nwdhcp.sys
R2 Remote Management Agent;Novell ZfD Remote Management;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\system32\NetWare\resmgr.sys
R2 SRVLOC;Novell Service Location;C:\WINDOWS\system32\NetWare\srvloc.sys
R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe
R3 Darpan;Darpan;C:\WINDOWS\system32\DRIVERS\Darpan.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 HSF_DPV;HSF_DPV;C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 L8042Kbd;Logitech SetPoint Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwdns.sys
R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\system32\NetWare\NWHOST.sys
R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwslp.sys
R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\system32\NetWare\NWSNS.sys
S2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\system32\NetWare\nwsipx32.sys
S3 APSINV;APSINV;\??\C:\WINDOWS\system32\DRIVERS\APSINV.SYS
S3 awhost32;pcAnywhere Host Service;C:\Program Files\Symantec\pcAnywhere\awhost32.exe
S3 BthEnum;Bluetooth Request Block Driver;C:\WINDOWS\system32\DRIVERS\BthEnum.sys
S3 BthPan;Bluetooth Device (Personal Area Network);C:\WINDOWS\system32\DRIVERS\bthpan.sys
S3 BTHPORT;Bluetooth Port Driver;C:\WINDOWS\system32\Drivers\BTHport.sys
S3 BTHUSB;Bluetooth Radio USB Driver;C:\WINDOWS\system32\Drivers\BTHUSB.sys
S3 cusrvc;Client Update Service for Novell;C:\WINDOWS\system32\cusrvc.exe
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 HSXHWAZL;HSXHWAZL;C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
S3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\system32\NetWare\NWSAP.sys
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE
S3 OracleORACLE_INCONCERTAgent;OracleORACLE_INCONCERTAgent;C:\oranthphcdata\bin\agntsrvc.exe
S3 OracleORACLE_INCONCERTClientCache;OracleORACLE_INCONCERTClientCache;C:\oranthphcdata\BIN\ONRSD.EXE
S3 OracleORACLE_INCONCERTHTTPServer;OracleORACLE_INCONCERTHTTPServer;"C:\oranthphcdata\Apache\Apache\apache.exe" --ntservice
S3 OracleORACLE_INCONCERTPagingServer;OracleORACLE_INCONCERTPagingServer;C:\oranthphcdata/bin/pagntsrv.exe
S3 OracleORACLE_INCONCERTSNMPPeerEncapsulator;OracleORACLE_INCONCERTSNMPPeerEncapsulator;C:\oranthphcdata\BIN\ENCSVC.EXE
S3 OracleORACLE_INCONCERTSNMPPeerMasterAgent;OracleORACLE_INCONCERTSNMPPeerMasterAgent;C:\oranthphcdata\BIN\AGNTSVC.EXE
S3 OracleORACLE_INCONCERTTNSListener;OracleORACLE_INCONCERTTNSListener;C:\oranthphcdata\BIN\TNSLSNR
S3 OracleORACLE9_HOMEPagingServer;OracleORACLE9_HOMEPagingServer;C:\orantdata/bin/pagntsrv.exe
S3 OracleServiceINCON;OracleServiceINCON;c:\oranthphcdata\bin\ORACLE.EXE INCON
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys
S3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
S3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys
S3 tibemsd;TIBCO EMS Server;C:\tibco\ems\bin\emsntsct.exe "tibemsd"
S3 TIBHawkAgent;TIBCO Hawk Agent;C:\tibco\hawk\bin\tibhawkagentnt.exe
S3 TIBHawkEvent;TIBCO Hawk Event;C:\tibco\hawk\bin\tibhawkeventnt.exe
S3 TIBHawkHMA;TIBCO Hawk HMA;C:\tibco\hawk\bin\tibhawkhma.exe --service TIBHawkHMA
S3 TIBInConcert Repository Server Primary_Server_Name;TIBCO BusinessWorks Collaborator Document Repository Server Primary_Server_Name;C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icrepdaemon.exe C:\tibco\bwc\5.2\server\PRIMAR~1 Primary_Server_Name
S3 TIBInConcert Server Primary_Server_Name;TIBCO BusinessWorks Collaborator Workflow Server Primary_Server_Name;C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icservmain.exe Primary_Server_Name
S3 UIUSys;Conexant Setup API;C:\WINDOWS\system32\drivers\UIUSys.sys
S3 USB55N51;D-Link AirPlus G DWL-G122 Wireless Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\USB55N51.sys
S3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
S3 w39n51;Intel(R) PRO/Wireless 3945ABG Adapter Driver;C:\WINDOWS\system32\DRIVERS\w39n51.sys
S4 Oracle ADI Service;Oracle ADI Service;C:\orant\BIN\ADISRV.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36b5dcb0-0fbd-11dc-9b1a-000b7d26e945}]
AutoRun\command- E:\Autorun.exe /run
Shell00\Command- E:\Autorun.exe /run
Shell01\Command- E:\Autorun.exe /action
Shell02\Command- E:\Autorun.exe /uninstall


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 09:02:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TIBCOAdmin-GHPHC]
"ImagePath"="C:/tibco/administrator/5.2/bin/tibcoadmin_GHPHC.exe --ntservice \"TIBCOAdmin-GHPHC\""

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TIBHawkAgent-GHPHC]
"ImagePath"="C:/tibco/tra/domain/GHPHC/hawkagent_GHPHC.exe --ntservice \"TIBHawkAgent-GHPHC\""

Completion time: 2007-07-30 9:03:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 09:03
C:\ComboFix2.txt ... 2007-07-29 20:31
C:\ComboFix3.txt ... 2007-07-28 20:36

--- E O F ---

ThisHijack in below post
 
Conitnue ......





HijacThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:08, on 2007-07-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Credant.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\SICLT32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Lotus\notes\notes.exe
C:\Lotus\notes\NLNOTES.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Ssmmlma] "C:\Documents and Settings\PKumar\My Documents\a?sembly\w?crtupd.exe"
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hphc.org
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tibcoevents.webex.com/client/T23LSP33EP10/event/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O17 - HKLM\Software\..\Telephony: DomainName = EHEALTH.HPHC.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O20 - Winlogon Notify: CredNP - C:\WINDOWS\SYSTEM32\CredNP.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: TIBCO BusinessFactor 5.1 Embedded DB Manager (bf51ttsrv51.exe) - Broadcom Corporation - (no file)
O23 - Service: CMG Shield (CMGShield) - Credant Technologies, Inc. - C:\WINDOWS\system32\Credant.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\orantdata\bin\omtsreco.exe
O23 - Service: OracleORACLE9_HOMEPagingServer - Unknown owner - C:\orantdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTAgent - Oracle Corporation - C:\oranthphcdata\bin\agntsrvc.exe
O23 - Service: OracleORACLE_INCONCERTClientCache - Unknown owner - C:\oranthphcdata\BIN\ONRSD.EXE
O23 - Service: OracleORACLE_INCONCERTHTTPServer - Unknown owner - C:\oranthphcdata\Apache\Apache\apache.exe
O23 - Service: OracleORACLE_INCONCERTPagingServer - Unknown owner - C:\oranthphcdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTSNMPPeerEncapsulator - Unknown owner - C:\oranthphcdata\BIN\ENCSVC.EXE
O23 - Service: OracleORACLE_INCONCERTSNMPPeerMasterAgent - Unknown owner - C:\oranthphcdata\BIN\AGNTSVC.EXE
O23 - Service: OracleORACLE_INCONCERTTNSListener - Unknown owner - C:\oranthphcdata\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINCON - Oracle Corporation - c:\oranthphcdata\bin\ORACLE.EXE
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Intranet Server Client (SicltNT) - Apsynet - C:\WINDOWS\SYSTEM32\SICLT32.EXE
O23 - Service: TIBCO Administrator 5.2 (GHPHC) (TIBCOAdmin-GHPHC) - Unknown owner - C:/tibco/administrator/5.2/bin/tibcoadmin_GHPHC.exe
O23 - Service: TIBCO EMS Server (tibemsd) - Unknown owner - C:\tibco\ems\bin\emsntsct.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (GHPHC) (TIBHawkAgent-GHPHC) - Unknown owner - C:/tibco/tra/domain/GHPHC/hawkagent_GHPHC.exe
O23 - Service: TIBCO Hawk Event (TIBHawkEvent) - Unknown owner - C:\tibco\hawk\bin\tibhawkeventnt.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: TIBCO BusinessWorks Collaborator Document Repository Server Primary_Server_Name (TIBInConcert Repository Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icrepdaemon.exe
O23 - Service: TIBCO BusinessWorks Collaborator Workflow Server Primary_Server_Name (TIBInConcert Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icservmain.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 8159 bytes


Thanks
 
Hi

Have you set these by yourself?

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"=ds-rwe.exe
"2"=jusched.exe
"3"=kazaa.exe
"4"=limewirewin.exe
"5"=ssl32dr.exe
"6"=windde32.exe
"7"=winlog.exe

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [Ssmmlma] "C:\Documents and Settings\PKumar\My Documents\a?sembly\w?crtupd.exe"

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\nipplgex.dll

Folder::
C:\Temp

Save this as "CFScript"

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
 
Hi Shaba,

Please find the Logs below

Combo log

ComboFix 07-07-30.2 - "Pkumar" 2007-07-30 9:39:57.2 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Gan\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))


2007-07-29 20:54 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-29 20:53 <DIR> d-------- C:\DOCUME~1\PKumar\APPLIC~1\Simply Super Software
2007-07-29 20:22 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 19:16 <DIR> d-------- C:\Program Files\SpywareGuard
2007-07-29 07:14 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-07-29 07:06 <DIR> d-------- C:\KAV
2007-07-28 20:36 13,998 --a------ C:\dnsbak.reg
2007-07-26 14:24 <DIR> d-------- C:\Temp\brr
2007-07-26 14:24 <DIR> d-------- C:\Temp\0c2
2007-07-23 07:08 45,056 --a------ C:\WINDOWS\system32\iprntlgn.exe
2007-07-23 07:08 32,768 --a------ C:\WINDOWS\system32\nipplgex.dll
2007-07-08 20:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-06-27 11:03 99,840 --a------ C:\WINDOWS\system32\Zipdll.dll
2007-06-27 11:03 94,208 --a------ C:\WINDOWS\system32\Unzdll.dll
2007-06-27 11:03 78,848 --a------ C:\WINDOWS\system32\IC32.DLL
2007-06-27 11:03 77,824 --a------ C:\WINDOWS\system32\msbind.dll
2007-06-27 11:03 66,560 --a------ C:\WINDOWS\system32\Txtls32.dll
2007-06-27 11:03 640,512 --a------ C:\WINDOWS\system32\OC30.DLL
2007-06-27 11:03 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-27 11:03 570,128 --a------ C:\WINDOWS\system32\dao350.dll
2007-06-27 11:03 48,128 --a------ C:\WINDOWS\system32\Wndtls32.dll
2007-06-27 11:03 430,080 --a------ C:\WINDOWS\system32\Msrepl35.dll
2007-06-27 11:03 348,672 --a------ C:\WINDOWS\system32\txobj32.dll
2007-06-27 11:03 314,880 --a------ C:\WINDOWS\system32\Tx32.dll
2007-06-27 11:03 299,008 --a------ C:\WINDOWS\system32\MSDBRPTR.DLL
2007-06-27 11:03 262,144 --a------ C:\WINDOWS\system32\msrd2x35.dll
2007-06-27 11:03 24,848 --a------ C:\WINDOWS\system32\msjter35.dll
2007-06-27 11:03 230,912 --a------ C:\WINDOWS\system32\Zipit.dll
2007-06-27 11:03 137,216 --a------ C:\WINDOWS\system32\MSDERUN.DLL
2007-06-27 11:03 123,664 --a------ C:\WINDOWS\system32\msjint35.dll
2007-06-27 11:03 1,050,896 --a------ C:\WINDOWS\system32\Msjet35.dll
2007-06-26 10:21 <DIR> d-------- C:\BWEDU
2007-06-26 08:30 <DIR> d-------- C:\DOCUME~1\PKumar\APPLIC~1\.purple
2007-06-26 08:29 <DIR> d-------- C:\Program Files\Pidgin
2007-06-21 15:05 <DIR> d-------- C:\jakarta-jmeter-2.2
2007-06-20 09:44 <DIR> d-------- C:\Program Files\Reflection
2007-06-20 09:44 <DIR> d-------- C:\Program Files\Lotus
2007-06-20 09:44 <DIR> d-------- C:\Program Files\Common Files\Lotus
2007-06-08 08:04 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2007-06-08 08:04 <DIR> d-------- C:\Program Files\Business Objects
2007-06-08 08:03 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-08 08:03 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2007-06-08 08:02 <DIR> d-------- C:\Temp\remedy_7_0
2007-06-04 11:14 <DIR> d-------- C:\Program Files\Trillian
2007-06-01 16:20 <DIR> d-------- C:\DOCUME~1\PKumar\.hawk


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 07:48 --------- d-------- C:\DOCUME~1\PKumar\APPLIC~1\.gaim
2007-07-29 20:53 --------- d-------- C:\Program Files\PowerArchiver
2007-07-29 07:08 --------- d-------- C:\Program Files\Network Associates
2007-07-26 14:49 --------- d-------- C:\Program Files\Online Services
2007-07-23 17:25 --------- d-------- C:\Program Files\PLSQL Developer
2007-06-26 08:31 --------- d-------- C:\DOCUME~1\PKumar\APPLIC~1\.purple
2007-06-08 21:27 --------- d-------- C:\Program Files\DivX
2007-06-08 08:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-05-09 15:00 186443 --a------ C:\WINDOWS\system32\atasnt40.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-08-31 16:50]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 10:37 C:\WINDOWS\system32\nwtray.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-09 20:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NalView.exe [2004-06-15 21:03:42]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-11-16 14:03:35]
D-Link AirPlus G Wireless Utility.lnk - C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe [2005-10-04 18:23:04]
GKProbe.lnk - C:\Program Files\Credant\Gatekeeper\GKProbe.exe [2006-03-22 21:13:30]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)
"SynchronousMachineGroupPolicy"=1 (0x1)
"SynchronousUserGroupPolicy"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"DisallowRun"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"=ds-rwe.exe
"2"=jusched.exe
"3"=kazaa.exe
"4"=limewirewin.exe
"5"=ssl32dr.exe
"6"=windde32.exe
"7"=winlog.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [2004-06-15 21:03 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CredNP]
CredNP.dll 2006-11-01 19:19 155725 C:\WINDOWS\system32\CredNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 2004-10-01 14:32 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-10-31 12:01 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-794644517-2594211187-3292303677-398323\Scripts\Logon\0\0]
"Script"=\\EHEALTH.HPHC.ORG\SysVol\EHEALTH.HPHC.ORG\scripts\LoginCheckAIM-PROD.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-794644517-2594211187-3292303677-9889\Scripts\Logon\0\0]
"Script"=\\EHEALTH.HPHC.ORG\SysVol\EHEALTH.HPHC.ORG\scripts\LoginCheckAIM-PROD.vbe

R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R0 Gernuwa;Gernuwa;C:\WINDOWS\system32\drivers\Gernuwa.sys
R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\system32\drivers\nicm.sys
R0 NWFILTER;Novell UNC Path Filter;C:\WINDOWS\system32\NetWare\nwfilter.sys
R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys
R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys
R2 BthServ;Bluetooth Support Service;C:\WINDOWS\system32\svchost.exe -k bthsvcs
R2 CMGShield;CMG Shield;C:\WINDOWS\system32\Credant.exe
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 guardian;CREDANT Mobile Guardian Gatekeeper;"C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe"
R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\system32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\system32\NetWare\nwdhcp.sys
R2 Remote Management Agent;Novell ZfD Remote Management;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\system32\NetWare\resmgr.sys
R2 SRVLOC;Novell Service Location;C:\WINDOWS\system32\NetWare\srvloc.sys
R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe
R3 Darpan;Darpan;C:\WINDOWS\system32\DRIVERS\Darpan.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 HSF_DPV;HSF_DPV;C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 L8042Kbd;Logitech SetPoint Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwdns.sys
R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\system32\NetWare\NWHOST.sys
R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwslp.sys
R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\system32\NetWare\NWSNS.sys
S2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\system32\NetWare\nwsipx32.sys
S3 APSINV;APSINV;\??\C:\WINDOWS\system32\DRIVERS\APSINV.SYS
S3 awhost32;pcAnywhere Host Service;C:\Program Files\Symantec\pcAnywhere\awhost32.exe
S3 BthEnum;Bluetooth Request Block Driver;C:\WINDOWS\system32\DRIVERS\BthEnum.sys
S3 BthPan;Bluetooth Device (Personal Area Network);C:\WINDOWS\system32\DRIVERS\bthpan.sys
S3 BTHPORT;Bluetooth Port Driver;C:\WINDOWS\system32\Drivers\BTHport.sys
S3 BTHUSB;Bluetooth Radio USB Driver;C:\WINDOWS\system32\Drivers\BTHUSB.sys
S3 cusrvc;Client Update Service for Novell;C:\WINDOWS\system32\cusrvc.exe
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 HSXHWAZL;HSXHWAZL;C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
S3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\system32\NetWare\NWSAP.sys
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE
S3 OracleORACLE_INCONCERTAgent;OracleORACLE_INCONCERTAgent;C:\oranthphcdata\bin\agntsrvc.exe
S3 OracleORACLE_INCONCERTClientCache;OracleORACLE_INCONCERTClientCache;C:\oranthphcdata\BIN\ONRSD.EXE
S3 OracleORACLE_INCONCERTHTTPServer;OracleORACLE_INCONCERTHTTPServer;"C:\oranthphcdata\Apache\Apache\apache.exe" --ntservice
S3 OracleORACLE_INCONCERTPagingServer;OracleORACLE_INCONCERTPagingServer;C:\oranthphcdata/bin/pagntsrv.exe
S3 OracleORACLE_INCONCERTSNMPPeerEncapsulator;OracleORACLE_INCONCERTSNMPPeerEncapsulator;C:\oranthphcdata\BIN\ENCSVC.EXE
S3 OracleORACLE_INCONCERTSNMPPeerMasterAgent;OracleORACLE_INCONCERTSNMPPeerMasterAgent;C:\oranthphcdata\BIN\AGNTSVC.EXE
S3 OracleORACLE_INCONCERTTNSListener;OracleORACLE_INCONCERTTNSListener;C:\oranthphcdata\BIN\TNSLSNR
S3 OracleORACLE9_HOMEPagingServer;OracleORACLE9_HOMEPagingServer;C:\orantdata/bin/pagntsrv.exe
S3 OracleServiceINCON;OracleServiceINCON;c:\oranthphcdata\bin\ORACLE.EXE INCON
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys
S3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
S3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys
S3 tibemsd;TIBCO EMS Server;C:\tibco\ems\bin\emsntsct.exe "tibemsd"
S3 TIBHawkAgent;TIBCO Hawk Agent;C:\tibco\hawk\bin\tibhawkagentnt.exe
S3 TIBHawkEvent;TIBCO Hawk Event;C:\tibco\hawk\bin\tibhawkeventnt.exe
S3 TIBHawkHMA;TIBCO Hawk HMA;C:\tibco\hawk\bin\tibhawkhma.exe --service TIBHawkHMA
S3 TIBInConcert Repository Server Primary_Server_Name;TIBCO BusinessWorks Collaborator Document Repository Server Primary_Server_Name;C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icrepdaemon.exe C:\tibco\bwc\5.2\server\PRIMAR~1 Primary_Server_Name
S3 TIBInConcert Server Primary_Server_Name;TIBCO BusinessWorks Collaborator Workflow Server Primary_Server_Name;C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icservmain.exe Primary_Server_Name
S3 UIUSys;Conexant Setup API;C:\WINDOWS\system32\drivers\UIUSys.sys
S3 USB55N51;D-Link AirPlus G DWL-G122 Wireless Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\USB55N51.sys
S3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
S3 w39n51;Intel(R) PRO/Wireless 3945ABG Adapter Driver;C:\WINDOWS\system32\DRIVERS\w39n51.sys
S4 Oracle ADI Service;Oracle ADI Service;C:\orant\BIN\ADISRV.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36b5dcb0-0fbd-11dc-9b1a-000b7d26e945}]
AutoRun\command- E:\Autorun.exe /run
Shell00\Command- E:\Autorun.exe /run
Shell01\Command- E:\Autorun.exe /action
Shell02\Command- E:\Autorun.exe /uninstall


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 09:44:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TIBCOAdmin-GHPHC]
"ImagePath"="C:/tibco/administrator/5.2/bin/tibcoadmin_GHPHC.exe --ntservice \"TIBCOAdmin-GHPHC\""

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TIBHawkAgent-GHPHC]
"ImagePath"="C:/tibco/tra/domain/GHPHC/hawkagent_GHPHC.exe --ntservice \"TIBHawkAgent-GHPHC\""

Completion time: 2007-07-30 9:45:39
C:\ComboFix-quarantined-files.txt ... 2007-07-30 09:45
C:\ComboFix2.txt ... 2007-07-30 09:03
C:\ComboFix3.txt ... 2007-07-29 20:31

--- E O F ---


HijackThis Log continued in next post
 
Conitnue .................


HijackThis Log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:51, on 2007-07-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Credant.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hphc.org
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tibcoevents.webex.com/client/T23LSP33EP10/event/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O17 - HKLM\Software\..\Telephony: DomainName = EHEALTH.HPHC.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O20 - Winlogon Notify: CredNP - C:\WINDOWS\SYSTEM32\CredNP.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: TIBCO BusinessFactor 5.1 Embedded DB Manager (bf51ttsrv51.exe) - Broadcom Corporation - (no file)
O23 - Service: CMG Shield (CMGShield) - Credant Technologies, Inc. - C:\WINDOWS\system32\Credant.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\orantdata\bin\omtsreco.exe
O23 - Service: OracleORACLE9_HOMEPagingServer - Unknown owner - C:\orantdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTAgent - Oracle Corporation - C:\oranthphcdata\bin\agntsrvc.exe
O23 - Service: OracleORACLE_INCONCERTClientCache - Unknown owner - C:\oranthphcdata\BIN\ONRSD.EXE
O23 - Service: OracleORACLE_INCONCERTHTTPServer - Unknown owner - C:\oranthphcdata\Apache\Apache\apache.exe
O23 - Service: OracleORACLE_INCONCERTPagingServer - Unknown owner - C:\oranthphcdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTSNMPPeerEncapsulator - Unknown owner - C:\oranthphcdata\BIN\ENCSVC.EXE
O23 - Service: OracleORACLE_INCONCERTSNMPPeerMasterAgent - Unknown owner - C:\oranthphcdata\BIN\AGNTSVC.EXE
O23 - Service: OracleORACLE_INCONCERTTNSListener - Unknown owner - C:\oranthphcdata\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINCON - Oracle Corporation - c:\oranthphcdata\bin\ORACLE.EXE
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Intranet Server Client (SicltNT) - Apsynet - C:\WINDOWS\SYSTEM32\SICLT32.EXE
O23 - Service: TIBCO Administrator 5.2 (GHPHC) (TIBCOAdmin-GHPHC) - Unknown owner - C:/tibco/administrator/5.2/bin/tibcoadmin_GHPHC.exe
O23 - Service: TIBCO EMS Server (tibemsd) - Unknown owner - C:\tibco\ems\bin\emsntsct.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (GHPHC) (TIBHawkAgent-GHPHC) - Unknown owner - C:/tibco/tra/domain/GHPHC/hawkagent_GHPHC.exe
O23 - Service: TIBCO Hawk Event (TIBHawkEvent) - Unknown owner - C:\tibco\hawk\bin\tibhawkeventnt.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: TIBCO BusinessWorks Collaborator Document Repository Server Primary_Server_Name (TIBInConcert Repository Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icrepdaemon.exe
O23 - Service: TIBCO BusinessWorks Collaborator Workflow Server Primary_Server_Name (TIBInConcert Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icservmain.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 7951 bytes


Thanks
 
Hi

How about this?

"Have you set these by yourself?

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"=ds-rwe.exe
"2"=jusched.exe
"3"=kazaa.exe
"4"=limewirewin.exe
"5"=ssl32dr.exe
"6"=windde32.exe
"7"=winlog.exe"

And did you include all these lines to CFScript?

File::
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\nipplgex.dll

Folder::
C:\Temp
 
Hi Shaba,

Sorry for forgetting to reply your question.

I created a file CFScript.txt and included the

C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\nipplgex.dll

I copied the file into temp folder.

The answer to below is "yes" , I have set the policies.


"Have you set these by yourself?

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"=ds-rwe.exe
"2"=jusched.exe
"3"=kazaa.exe
"4"=limewirewin.exe
"5"=ssl32dr.exe
"6"=windde32.exe
"7"=winlog.exe"

And did you include all these lines to CFScript?

File::
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\nipplgex.dll

Folder::
C:\Temp

Thanks
 
Hi

You are supposed to include ALL lines below to CFScript :)

File::
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\nipplgex.dll

Folder::
C:\Temp

After that, try again that CFScript thing
 
Hi Shaba,

I have misunderstood about the code.

File::
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\nipplgex.dll

Folder::
C:\Temp

I am doing it in the right way now.
Will post the log very soon.

Thanks for your patience.

Regards
 
Hi Shaba,

Below are the logs

ComboFix log


ComboFix 07-07-30.2 - "PNuthula" 2007-07-30 10:39:39.3 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Gan\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp
C:\Temp\0c2\tmpFF.log
C:\Temp\brr\tmpZTF.log
C:\Temp\CFScript.txt
C:\Temp\Harvest\AllFusion_Harvest_Workbench.msi
C:\Temp\Harvest\CredDB.CEF
C:\Temp\Harvest\Harvest.txt
C:\Temp\Harvest\Harvest_Install.bat
C:\Temp\log.txt
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\nipplgex.dll


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))


2007-07-29 20:54 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-29 20:53 <DIR> d-------- C:\DOCUME~1\PKumar\APPLIC~1\Simply Super Software
2007-07-29 20:22 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 19:16 <DIR> d-------- C:\Program Files\SpywareGuard
2007-07-29 07:14 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-07-29 07:06 <DIR> d-------- C:\KAV
2007-07-28 20:36 13,998 --a------ C:\dnsbak.reg
2007-07-08 20:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-06-27 11:03 99,840 --a------ C:\WINDOWS\system32\Zipdll.dll
2007-06-27 11:03 94,208 --a------ C:\WINDOWS\system32\Unzdll.dll
2007-06-27 11:03 78,848 --a------ C:\WINDOWS\system32\IC32.DLL
2007-06-27 11:03 77,824 --a------ C:\WINDOWS\system32\msbind.dll
2007-06-27 11:03 66,560 --a------ C:\WINDOWS\system32\Txtls32.dll
2007-06-27 11:03 640,512 --a------ C:\WINDOWS\system32\OC30.DLL
2007-06-27 11:03 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-27 11:03 570,128 --a------ C:\WINDOWS\system32\dao350.dll
2007-06-27 11:03 48,128 --a------ C:\WINDOWS\system32\Wndtls32.dll
2007-06-27 11:03 430,080 --a------ C:\WINDOWS\system32\Msrepl35.dll
2007-06-27 11:03 348,672 --a------ C:\WINDOWS\system32\txobj32.dll
2007-06-27 11:03 314,880 --a------ C:\WINDOWS\system32\Tx32.dll
2007-06-27 11:03 299,008 --a------ C:\WINDOWS\system32\MSDBRPTR.DLL
2007-06-27 11:03 262,144 --a------ C:\WINDOWS\system32\msrd2x35.dll
2007-06-27 11:03 24,848 --a------ C:\WINDOWS\system32\msjter35.dll
2007-06-27 11:03 230,912 --a------ C:\WINDOWS\system32\Zipit.dll
2007-06-27 11:03 137,216 --a------ C:\WINDOWS\system32\MSDERUN.DLL
2007-06-27 11:03 123,664 --a------ C:\WINDOWS\system32\msjint35.dll
2007-06-27 11:03 1,050,896 --a------ C:\WINDOWS\system32\Msjet35.dll
2007-06-26 10:21 <DIR> d-------- C:\BWEDU
2007-06-26 08:30 <DIR> d-------- C:\DOCUME~1\PKumar\APPLIC~1\.purple
2007-06-26 08:29 <DIR> d-------- C:\Program Files\Pidgin
2007-06-21 15:05 <DIR> d-------- C:\jakarta-jmeter-2.2
2007-06-20 09:44 <DIR> d-------- C:\Program Files\Reflection
2007-06-20 09:44 <DIR> d-------- C:\Program Files\Lotus
2007-06-20 09:44 <DIR> d-------- C:\Program Files\Common Files\Lotus
2007-06-08 08:04 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2007-06-08 08:04 <DIR> d-------- C:\Program Files\Business Objects
2007-06-08 08:03 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-08 08:03 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2007-06-04 11:14 <DIR> d-------- C:\Program Files\Trillian
2007-06-01 16:20 <DIR> d-------- C:\DOCUME~1\PKumar\.hawk


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 07:48 --------- d-------- C:\DOCUME~1\PKumar\APPLIC~1\.gaim
2007-07-29 20:53 --------- d-------- C:\Program Files\PowerArchiver
2007-07-29 07:08 --------- d-------- C:\Program Files\Network Associates
2007-07-26 14:49 --------- d-------- C:\Program Files\Online Services
2007-07-23 17:25 --------- d-------- C:\Program Files\PLSQL Developer
2007-06-26 08:31 --------- d-------- C:\DOCUME~1\PKumar\APPLIC~1\.purple
2007-06-08 21:27 --------- d-------- C:\Program Files\DivX
2007-06-08 08:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-05-09 15:00 186443 --a------ C:\WINDOWS\system32\atasnt40.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-08-31 16:50]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 10:37 C:\WINDOWS\system32\nwtray.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-09 20:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NalView.exe [2004-06-15 21:03:42]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-11-16 14:03:35]
D-Link AirPlus G Wireless Utility.lnk - C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe [2005-10-04 18:23:04]
GKProbe.lnk - C:\Program Files\Credant\Gatekeeper\GKProbe.exe [2006-03-22 21:13:30]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)
"SynchronousMachineGroupPolicy"=1 (0x1)
"SynchronousUserGroupPolicy"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"DisallowRun"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"=ds-rwe.exe
"2"=jusched.exe
"3"=kazaa.exe
"4"=limewirewin.exe
"5"=ssl32dr.exe
"6"=windde32.exe
"7"=winlog.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [2004-06-15 21:03 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CredNP]
CredNP.dll 2006-11-01 19:19 155725 C:\WINDOWS\system32\CredNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 2004-10-01 14:32 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-10-31 12:01 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-794644517-2594211187-3292303677-398323\Scripts\Logon\0\0]
"Script"=\\EHEALTH.HPHC.ORG\SysVol\EHEALTH.HPHC.ORG\scripts\LoginCheckAIM-PROD.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-794644517-2594211187-3292303677-9889\Scripts\Logon\0\0]
"Script"=\\EHEALTH.HPHC.ORG\SysVol\EHEALTH.HPHC.ORG\scripts\LoginCheckAIM-PROD.vbe

R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R0 Gernuwa;Gernuwa;C:\WINDOWS\system32\drivers\Gernuwa.sys
R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\system32\drivers\nicm.sys
R0 NWFILTER;Novell UNC Path Filter;C:\WINDOWS\system32\NetWare\nwfilter.sys
R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys
R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys
R2 BthServ;Bluetooth Support Service;C:\WINDOWS\system32\svchost.exe -k bthsvcs
R2 CMGShield;CMG Shield;C:\WINDOWS\system32\Credant.exe
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 guardian;CREDANT Mobile Guardian Gatekeeper;"C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe"
R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\system32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\system32\NetWare\nwdhcp.sys
R2 Remote Management Agent;Novell ZfD Remote Management;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\system32\NetWare\resmgr.sys
R2 SRVLOC;Novell Service Location;C:\WINDOWS\system32\NetWare\srvloc.sys
R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe
R3 Darpan;Darpan;C:\WINDOWS\system32\DRIVERS\Darpan.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 HSF_DPV;HSF_DPV;C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 L8042Kbd;Logitech SetPoint Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwdns.sys
R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\system32\NetWare\NWHOST.sys
R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwslp.sys
R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\system32\NetWare\NWSNS.sys
S2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\system32\NetWare\nwsipx32.sys
S3 APSINV;APSINV;\??\C:\WINDOWS\system32\DRIVERS\APSINV.SYS
S3 awhost32;pcAnywhere Host Service;C:\Program Files\Symantec\pcAnywhere\awhost32.exe
S3 BthEnum;Bluetooth Request Block Driver;C:\WINDOWS\system32\DRIVERS\BthEnum.sys
S3 BthPan;Bluetooth Device (Personal Area Network);C:\WINDOWS\system32\DRIVERS\bthpan.sys
S3 BTHPORT;Bluetooth Port Driver;C:\WINDOWS\system32\Drivers\BTHport.sys
S3 BTHUSB;Bluetooth Radio USB Driver;C:\WINDOWS\system32\Drivers\BTHUSB.sys
S3 cusrvc;Client Update Service for Novell;C:\WINDOWS\system32\cusrvc.exe
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 HSXHWAZL;HSXHWAZL;C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
S3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\system32\NetWare\NWSAP.sys
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE
S3 OracleORACLE_INCONCERTAgent;OracleORACLE_INCONCERTAgent;C:\oranthphcdata\bin\agntsrvc.exe
S3 OracleORACLE_INCONCERTClientCache;OracleORACLE_INCONCERTClientCache;C:\oranthphcdata\BIN\ONRSD.EXE
S3 OracleORACLE_INCONCERTHTTPServer;OracleORACLE_INCONCERTHTTPServer;"C:\oranthphcdata\Apache\Apache\apache.exe" --ntservice
S3 OracleORACLE_INCONCERTPagingServer;OracleORACLE_INCONCERTPagingServer;C:\oranthphcdata/bin/pagntsrv.exe
S3 OracleORACLE_INCONCERTSNMPPeerEncapsulator;OracleORACLE_INCONCERTSNMPPeerEncapsulator;C:\oranthphcdata\BIN\ENCSVC.EXE
S3 OracleORACLE_INCONCERTSNMPPeerMasterAgent;OracleORACLE_INCONCERTSNMPPeerMasterAgent;C:\oranthphcdata\BIN\AGNTSVC.EXE
S3 OracleORACLE_INCONCERTTNSListener;OracleORACLE_INCONCERTTNSListener;C:\oranthphcdata\BIN\TNSLSNR
S3 OracleORACLE9_HOMEPagingServer;OracleORACLE9_HOMEPagingServer;C:\orantdata/bin/pagntsrv.exe
S3 OracleServiceINCON;OracleServiceINCON;c:\oranthphcdata\bin\ORACLE.EXE INCON
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys
S3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
S3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys
S3 tibemsd;TIBCO EMS Server;C:\tibco\ems\bin\emsntsct.exe "tibemsd"
S3 TIBHawkAgent;TIBCO Hawk Agent;C:\tibco\hawk\bin\tibhawkagentnt.exe
S3 TIBHawkEvent;TIBCO Hawk Event;C:\tibco\hawk\bin\tibhawkeventnt.exe
S3 TIBHawkHMA;TIBCO Hawk HMA;C:\tibco\hawk\bin\tibhawkhma.exe --service TIBHawkHMA
S3 TIBInConcert Repository Server Primary_Server_Name;TIBCO BusinessWorks Collaborator Document Repository Server Primary_Server_Name;C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icrepdaemon.exe C:\tibco\bwc\5.2\server\PRIMAR~1 Primary_Server_Name
S3 TIBInConcert Server Primary_Server_Name;TIBCO BusinessWorks Collaborator Workflow Server Primary_Server_Name;C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icservmain.exe Primary_Server_Name
S3 UIUSys;Conexant Setup API;C:\WINDOWS\system32\drivers\UIUSys.sys
S3 USB55N51;D-Link AirPlus G DWL-G122 Wireless Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\USB55N51.sys
S3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
S3 w39n51;Intel(R) PRO/Wireless 3945ABG Adapter Driver;C:\WINDOWS\system32\DRIVERS\w39n51.sys
S4 Oracle ADI Service;Oracle ADI Service;C:\orant\BIN\ADISRV.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36b5dcb0-0fbd-11dc-9b1a-000b7d26e945}]
AutoRun\command- E:\Autorun.exe /run
Shell00\Command- E:\Autorun.exe /run
Shell01\Command- E:\Autorun.exe /action
Shell02\Command- E:\Autorun.exe /uninstall


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 10:46:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TIBCOAdmin-GHPHC]
"ImagePath"="C:/tibco/administrator/5.2/bin/tibcoadmin_GHPHC.exe --ntservice \"TIBCOAdmin-GHPHC\""

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TIBHawkAgent-GHPHC]
"ImagePath"="C:/tibco/tra/domain/GHPHC/hawkagent_GHPHC.exe --ntservice \"TIBHawkAgent-GHPHC\""

Completion time: 2007-07-30 10:46:59
C:\ComboFix-quarantined-files.txt ... 2007-07-30 10:46
C:\ComboFix2.txt ... 2007-07-30 09:45
C:\ComboFix3.txt ... 2007-07-30 09:03

--- E O F ---


HijackThis conitnue in next post
 
Continue ........



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47, on 2007-07-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Credant.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\Lotus\notes\NLNOTES.EXE
C:\Lotus\notes\ntaskldr.EXE
C:\WINDOWS\system32\cmd.exe
C:\tibco\jre\1.4.2\bin\java.exe
C:\WINDOWS\system32\cmd.exe
C:\tibco\jre\1.4.2\bin\java.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hphc.org
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tibcoevents.webex.com/client/T23LSP33EP10/event/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O17 - HKLM\Software\..\Telephony: DomainName = EHEALTH.HPHC.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O20 - Winlogon Notify: CredNP - C:\WINDOWS\SYSTEM32\CredNP.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: TIBCO BusinessFactor 5.1 Embedded DB Manager (bf51ttsrv51.exe) - Broadcom Corporation - (no file)
O23 - Service: CMG Shield (CMGShield) - Credant Technologies, Inc. - C:\WINDOWS\system32\Credant.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\orantdata\bin\omtsreco.exe
O23 - Service: OracleORACLE9_HOMEPagingServer - Unknown owner - C:\orantdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTAgent - Oracle Corporation - C:\oranthphcdata\bin\agntsrvc.exe
O23 - Service: OracleORACLE_INCONCERTClientCache - Unknown owner - C:\oranthphcdata\BIN\ONRSD.EXE
O23 - Service: OracleORACLE_INCONCERTHTTPServer - Unknown owner - C:\oranthphcdata\Apache\Apache\apache.exe
O23 - Service: OracleORACLE_INCONCERTPagingServer - Unknown owner - C:\oranthphcdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTSNMPPeerEncapsulator - Unknown owner - C:\oranthphcdata\BIN\ENCSVC.EXE
O23 - Service: OracleORACLE_INCONCERTSNMPPeerMasterAgent - Unknown owner - C:\oranthphcdata\BIN\AGNTSVC.EXE
O23 - Service: OracleORACLE_INCONCERTTNSListener - Unknown owner - C:\oranthphcdata\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINCON - Oracle Corporation - c:\oranthphcdata\bin\ORACLE.EXE
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Intranet Server Client (SicltNT) - Apsynet - C:\WINDOWS\SYSTEM32\SICLT32.EXE
O23 - Service: TIBCO Administrator 5.2 (GHPHC) (TIBCOAdmin-GHPHC) - Unknown owner - C:/tibco/administrator/5.2/bin/tibcoadmin_GHPHC.exe
O23 - Service: TIBCO EMS Server (tibemsd) - Unknown owner - C:\tibco\ems\bin\emsntsct.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (GHPHC) (TIBHawkAgent-GHPHC) - Unknown owner - C:/tibco/tra/domain/GHPHC/hawkagent_GHPHC.exe
O23 - Service: TIBCO Hawk Event (TIBHawkEvent) - Unknown owner - C:\tibco\hawk\bin\tibhawkeventnt.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: TIBCO BusinessWorks Collaborator Document Repository Server Primary_Server_Name (TIBInConcert Repository Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icrepdaemon.exe
O23 - Service: TIBCO BusinessWorks Collaborator Workflow Server Primary_Server_Name (TIBInConcert Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icservmain.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 8243 bytes


Thanks
 
Hi

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
 
Hi Shaba,

Sorry for late reply , the scanning too more time then expected.
below is the report after scan


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-07-31 04:00
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 31/07/2007
Kaspersky Anti-Virus database records: 369896
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
M:\
Z:\

Scan Statistics:
Total number of scanned objects: 264394
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 07:05:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0016_Scan_My_Computer_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\002c_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0030_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\003a_Scan_Objects_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_L000700997.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_L000700997.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\PKumar\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\PKumar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\PKumar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\PKumar\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\PKumar\Local Settings\History\History.IE5\MSHist012007073020070731\index.dat Object is locked skipped
C:\Documents and Settings\PKumar\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\PKumar\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\PKumar\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\RMErrorLog1.txt Object is locked skipped
C:\System Volume Information\_restore{A07AA049-0059-4356-B952-876328E40D3A}\RP253\A0039282.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{A07AA049-0059-4356-B952-876328E40D3A}\RP254\A0039465.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{A07AA049-0059-4356-B952-876328E40D3A}\RP254\A0039466.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{A07AA049-0059-4356-B952-876328E40D3A}\RP262\change.log Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\CredSys.cdb Object is locked skipped
C:\WINDOWS\system32\credsys.vlt Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\system32\novell\nici\ZEntest.EHEALTH\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\system32\novell\nici\ZEntest.EHEALTH\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\cch~1580f05574.htp Object is locked skipped
C:\WINDOWS\Temp\cch~1580f06015.htp Object is locked skipped
C:\WINDOWS\Temp\NAILogs\UpdaterUI_L000700997.log Object is locked skipped
C:\WINDOWS\Temp\PREC1D.tmp Object is locked skipped
C:\WINDOWS\Temp\PREC1E.tmp Object is locked skipped
C:\WINDOWS\Temp\~DF355C.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.



Coninue ......................
 
Continue

HijackThis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:02, on 2007-07-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Credant.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hphc.org
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tibcoevents.webex.com/client/T23LSP33EP10/event/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O17 - HKLM\Software\..\Telephony: DomainName = EHEALTH.HPHC.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG
O20 - Winlogon Notify: CredNP - C:\WINDOWS\SYSTEM32\CredNP.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: TIBCO BusinessFactor 5.1 Embedded DB Manager (bf51ttsrv51.exe) - Broadcom Corporation - (no file)
O23 - Service: CMG Shield (CMGShield) - Credant Technologies, Inc. - C:\WINDOWS\system32\Credant.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\orantdata\bin\omtsreco.exe
O23 - Service: OracleORACLE9_HOMEPagingServer - Unknown owner - C:\orantdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTAgent - Oracle Corporation - C:\oranthphcdata\bin\agntsrvc.exe
O23 - Service: OracleORACLE_INCONCERTClientCache - Unknown owner - C:\oranthphcdata\BIN\ONRSD.EXE
O23 - Service: OracleORACLE_INCONCERTHTTPServer - Unknown owner - C:\oranthphcdata\Apache\Apache\apache.exe
O23 - Service: OracleORACLE_INCONCERTPagingServer - Unknown owner - C:\oranthphcdata/bin/pagntsrv.exe
O23 - Service: OracleORACLE_INCONCERTSNMPPeerEncapsulator - Unknown owner - C:\oranthphcdata\BIN\ENCSVC.EXE
O23 - Service: OracleORACLE_INCONCERTSNMPPeerMasterAgent - Unknown owner - C:\oranthphcdata\BIN\AGNTSVC.EXE
O23 - Service: OracleORACLE_INCONCERTTNSListener - Unknown owner - C:\oranthphcdata\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINCON - Oracle Corporation - c:\oranthphcdata\bin\ORACLE.EXE
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Intranet Server Client (SicltNT) - Apsynet - C:\WINDOWS\SYSTEM32\SICLT32.EXE
O23 - Service: TIBCO Administrator 5.2 (GHPHC) (TIBCOAdmin-GHPHC) - Unknown owner - C:/tibco/administrator/5.2/bin/tibcoadmin_GHPHC.exe
O23 - Service: TIBCO EMS Server (tibemsd) - Unknown owner - C:\tibco\ems\bin\emsntsct.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (GHPHC) (TIBHawkAgent-GHPHC) - Unknown owner - C:/tibco/tra/domain/GHPHC/hawkagent_GHPHC.exe
O23 - Service: TIBCO Hawk Event (TIBHawkEvent) - Unknown owner - C:\tibco\hawk\bin\tibhawkeventnt.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: TIBCO BusinessWorks Collaborator Document Repository Server Primary_Server_Name (TIBInConcert Repository Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icrepdaemon.exe
O23 - Service: TIBCO BusinessWorks Collaborator Workflow Server Primary_Server_Name (TIBInConcert Server Primary_Server_Name) - TIBCO Software Inc. - C:\tibco\bwc\5.2\server\PRIMAR~1\bin\icservmain.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 8763 bytes

Thanks
 
You must log in or register to reply here.
Back
Top