Malware Removal Help

amitverma · Dec 8, 2007

Hi there,

Last few weeks i am fighting to clean my system with malwares. i have installed Adaware, spybot, windows defender. and cleaned many of them. then i found "virtuemode" in my system. to remove that i followed the instuctions given in other posts of this forum.
i have completed all steps.
i am posting logs of diff software here , please tell me do i still need to remove any other malware.

Thanks,
Amit

amitverma · Dec 8, 2007

viruemonde

VundoFix V6.7.0

Checking Java version...

Sun Java not detected
Scan started at 12:48:43 PM 12/8/2007

Listing files found while scanning....

C:\windows\system32\rqstv.ini
C:\windows\system32\rqstv.ini2
C:\windows\system32\vtsqr.dll

Beginning removal...

Beginning removal...

VundoFix V6.7.0

Checking Java version...

Sun Java not detected
Scan started at 1:49:40 PM 12/8/2007

Listing files found while scanning....

C:\windows\system32\rqstv.ini
C:\windows\system32\rqstv.ini2
C:\windows\system32\vtsqr.dll

Beginning removal...

Attempting to delete C:\windows\system32\rqstv.ini
C:\windows\system32\rqstv.ini Has been deleted!

Attempting to delete C:\windows\system32\rqstv.ini2
C:\windows\system32\rqstv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vtsqr.dll
C:\windows\system32\vtsqr.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.0

Checking Java version...

Sun Java not detected
Scan started at 7:55:08 PM 12/8/2007

Listing files found while scanning....

No infected files were found.

amitverma · Dec 8, 2007

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 12/08/2007 at 11:36 PM

Application Version : 3.9.1008

Core Rules Database Version : 3358
Trace Rules Database Version: 1357

Scan type : Complete Scan
Total Scan Time : 02:47:01

Memory items scanned : 587
Memory threats detected : 0
Registry items scanned : 8904
Registry threats detected : 35
File items scanned : 174797
File threats detected : 25

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{61645BCA-4354-4012-8450-85673B717019}
HKCR\CLSID\{61645BCA-4354-4012-8450-85673B717019}
HKCR\CLSID\{61645BCA-4354-4012-8450-85673B717019}\InprocServer32
HKCR\CLSID\{61645BCA-4354-4012-8450-85673B717019}\InprocServer32#ThreadingModel
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\0
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\0\win32
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\FLAGS
HKCR\TypeLib\{FFBC50F3-043C-11D1-911D-006097C99383}\1.0\HELPDIR
C:\WINDOWS\SYSTEM32\VTSQR.DLL
HKLM\Software\Classes\CLSID\{A9348417-7CD2-4100-812E-7D965B6E5680}
HKCR\CLSID\{A9348417-7CD2-4100-812E-7D965B6E5680}
HKCR\CLSID\{A9348417-7CD2-4100-812E-7D965B6E5680}\InprocServer32
HKCR\CLSID\{A9348417-7CD2-4100-812E-7D965B6E5680}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61645BCA-4354-4012-8450-85673B717019}

Adware.Vundo-Variant/Small-A
HKLM\Software\Classes\CLSID\{9F284E2B-F86C-F3E2-8605-34EA07201B76}
HKCR\CLSID\{9F284E2B-F86C-F3E2-8605-34EA07201B76}
HKCR\CLSID\{9F284E2B-F86C-F3E2-8605-34EA07201B76}
HKCR\CLSID\{9F284E2B-F86C-F3E2-8605-34EA07201B76}\InprocServer32
HKCR\CLSID\{9F284E2B-F86C-F3E2-8605-34EA07201B76}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\BFAHVXBF.DLL
C:\RECYCLER\S-1-5-21-790525478-1708537768-839522115-1003\DC10.DLL
C:\WINDOWS\SYSTEM32\BXDOQLAY.DLL
C:\WINDOWS\SYSTEM32\GTKDIAFM.DLL
C:\WINDOWS\SYSTEM32\LHAVLHPQ.DLL
C:\WINDOWS\SYSTEM32\UBSJWDTX.DLL
C:\WINDOWS\SYSTEM32\VSGNEBVE.DLL
C:\WINDOWS\SYSTEM32\YBTFIMRS.DLL
C:\WINDOWS\SYSTEM32\YCVAXEMI.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{E45EA37E-77B2-48F6-83AE-2ACB09EC279F}
HKCR\CLSID\{E45EA37E-77B2-48F6-83AE-2ACB09EC279F}
HKCR\CLSID\{E45EA37E-77B2-48F6-83AE-2ACB09EC279F}\InprocServer32
HKCR\CLSID\{E45EA37E-77B2-48F6-83AE-2ACB09EC279F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEBX.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A54500A-65FE-4F4A-B860-20EAE2F577F9}

Adware.Tracking Cookie
C:\Documents and Settings\Amit Verma\Cookies\amit_verma@indiads[1].txt
C:\Documents and Settings\Amit Verma\Cookies\amit_verma@2o7[1].txt
C:\Documents and Settings\Amit Verma\Cookies\amit_verma@ads.monster[2].txt
C:\Documents and Settings\Amit Verma\Cookies\amit_verma@ads3.blastro[2].txt
C:\Documents and Settings\Amit Verma\Cookies\amit_verma@ads4.blastro[2].txt
C:\Documents and Settings\Amit Verma\Cookies\amit_verma@advertising[2].txt
C:\Documents and Settings\Amit Verma\Cookies\amit_verma@atdmt[2].txt
C:\Documents and Settings\Amit Verma\Cookies\amit_verma@redirect.clickshield[1].txt
C:\Documents and Settings\Amit Verma\Cookies\amit_verma@trafficmp[2].txt

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Adware.Web Buying
HKU\S-1-5-21-790525478-1708537768-839522115-1003\Software\WebBuying

Trojan.WINIOGON
C:\RECYCLER\S-1-5-21-790525478-1708537768-839522115-1003\DC9\SYSTEM32\OS\WINIOGON.EXE

Trojan.Downloader-Gen/TaLDrv
C:\WINDOWS\SYSTEM32\M8\NSTS2DLL1.EXE
C:\WINDOWS\SYSTEM32\N8\ENSTS2DLL.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

Adware.WebBuying Assistant-Installer
C:\WINDOWS\WBUN.EXE

amitverma · Dec 8, 2007

Combo Fix

Combo fix Log

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.303 [GMT 5.5:30]
Running from: C:\Documents and Settings\Amit Verma\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\Desktop__.ini
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\c1
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\csdgvurs.dll
C:\WINDOWS\system32\d1
C:\WINDOWS\system32\FrmInst.exe.exe
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\m8
C:\WINDOWS\system32\n8
D:\RECYCLER\Desktop__.ini
E:\RECYCLER\Desktop__.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE

((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-08 20:44 . 2007-12-08 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-08 20:43 . 2007-12-08 20:43 <DIR> d-------- C:\Documents and Settings\Amit Verma\Application Data\SUPERAntiSpyware.com
2007-12-08 12:48 . 2007-12-08 19:55 <DIR> d-------- C:\VundoFix Backups
2007-12-08 00:45 . 2007-12-08 00:45 <DIR> d-------- C:\Documents and Settings\Amit Verma\Application Data\IsolatedStorage
2007-12-07 18:44 . 2007-12-07 18:44 834,100 --ahs---- C:\WINDOWS\system32\srmiftby.ini
2007-12-06 10:43 . 2007-12-06 10:43 807,468 --ahs---- C:\WINDOWS\system32\mfaidktg.ini
2007-12-06 08:42 . 2007-12-06 08:42 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-12-05 10:42 . 2007-12-05 10:42 805,321 --ahs---- C:\WINDOWS\system32\qphlvahl.ini
2007-12-05 08:41 . 2007-12-05 08:41 159 --a------ C:\WINDOWS\wininit.ini
2007-12-05 08:09 . 2007-12-05 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 10:41 . 2007-12-04 10:41 788,468 --ahs---- C:\WINDOWS\system32\evbengsv.ini
2007-12-03 10:39 . 2007-12-03 10:39 793,664 --ahs---- C:\WINDOWS\system32\yalqodxb.ini
2007-12-01 07:53 . 2007-12-01 07:53 140 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-01 02:21 . 2007-12-01 02:23 793,776 --ahs---- C:\WINDOWS\system32\vcvgmcwa.ini
2007-11-30 19:10 . 2006-05-05 15:11 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2007-11-30 18:54 . 2007-11-30 19:07 793,673 --ahs---- C:\WINDOWS\system32\jiblaslu.ini
2007-11-29 18:51 . 2007-11-29 18:51 789,924 --ahs---- C:\WINDOWS\system32\ctlgyelq.ini
2007-11-28 11:30 . 2007-11-28 11:30 778,054 --ahs---- C:\WINDOWS\system32\xtdwjsbu.ini
2007-11-28 07:44 . 2007-02-28 14:40 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-11-28 07:44 . 2007-02-28 14:38 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-11-28 07:44 . 2007-02-28 14:08 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-11-28 07:44 . 2007-02-28 14:08 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-11-27 21:21 . 2007-11-27 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-27 21:20 . 2007-12-08 20:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-27 10:20 . 2007-11-27 10:30 780,814 --ahs---- C:\WINDOWS\system32\imexavcy.ini
2007-11-26 19:58 . 2007-11-27 04:36 <DIR> d--hs---- C:\WINDOWS\Q1M
2007-11-26 08:15 . 2007-11-26 20:52 776,210 --ahs---- C:\WINDOWS\system32\ibvybxby.ini
2007-11-25 05:26 . 2007-11-26 07:36 775,970 --ahs---- C:\WINDOWS\system32\dnhwfotv.ini
2007-11-24 20:45 . 2007-11-24 20:45 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-24 05:24 . 2007-11-24 20:39 775,946 --ahs---- C:\WINDOWS\system32\fbxvhafb.ini
2007-11-22 10:54 . 2007-11-27 22:42 321 --ahs---- C:\WINDOWS\system32\xbeeg.ini
2007-11-14 04:04 . 2007-11-14 04:04 <DIR> d-------- C:\Documents and Settings\Amit Verma\Application Data\Scooter Software
2007-11-10 20:44 . 2007-12-08 13:46 <DIR> d-------- C:\quarantine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 17:58 --------- d-----w C:\Documents and Settings\Amit Verma\Application Data\Skype
2007-11-26 03:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 02:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-07 06:12 --------- d-----w C:\Program Files\ZohoMeeting
2007-11-06 14:54 --------- d-----w C:\Program Files\JETSTAT.COM
2007-11-05 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Red Gate
2007-11-02 16:53 --------- d-----w C:\Documents and Settings\Amit Verma\Application Data\Microsoft FxCop
2007-11-02 16:48 --------- d-----w C:\Program Files\Microsoft FxCop 1.35
2007-11-02 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-28 14:02 --------- d-----w C:\Documents and Settings\Amit Verma\Application Data\Media Player Classic
2007-10-28 14:01 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-10-23 07:19 --------- d-----w C:\Documents and Settings\Amit Verma\Application Data\Etasoft Inc
2007-10-15 16:48 --------- d-----w C:\Program Files\Citrix
2007-09-27 10:18 6,133,312 ----a-w C:\Documents and Settings\Amit Verma\POWERPNT.EXE.exe
2007-09-27 10:10 9 --sha-r C:\Program Files\Desktop__.ini
2007-09-26 09:25 196,152 ----a-w C:\Documents and Settings\Amit Verma\OUTLOOK.EXE.exe
2007-09-25 07:38 157,696 ----a-w C:\ipmsg.exe
2007-09-24 07:43 1,564,672 ----a-w C:\Documents and Settings\Amit Verma\TortoiseAct.exe.exe
2007-09-22 09:37 734,872 ----a-w C:\Documents and Settings\Amit Verma\AdobeCollabSync.exe.exe
2007-09-22 06:36 204,845 ----a-w C:\Documents and Settings\Amit Verma\realplay.exe.exe
2007-09-22 05:58 53,248 ----a-w C:\Documents and Settings\Amit Verma\AzMixerSel.exe.exe
2007-09-22 05:58 286,720 ----a-w C:\Documents and Settings\Amit Verma\QTTask.exe.exe
2007-09-22 05:42 7,671,876 ----a-w C:\Documents and Settings\Amit Verma\AcroRd32.exe.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{977ED744-96FE-44F1-B015-BED5591B82B0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E30EE3B9-A23F-421D-838E-94800D092249}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Offline Files]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2007-03-15 21:50 1073152 --a------ E:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2007-03-15 21:50 1073152 --a------ E:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2007-03-15 21:50 1073152 --a------ E:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2007-03-15 21:50 1073152 --a------ E:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2007-03-15 21:50 1073152 --a------ E:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2007-03-15 21:50 1073152 --a------ E:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2007-03-15 21:50 1073152 --a------ E:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SybaseCentral43"="D:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2004-01-14 14:30]
"DBISQL9"="D:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2004-01-26 18:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="D:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 07:27]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 07:27]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 07:27]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 07:12 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-07-19 07:12 C:\WINDOWS\SkyTel.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 17:30 C:\WINDOWS\system32\bthprops.cpl]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-05 23:29]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-25 03:50]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"nvscv32"="C:\WINDOWS\system32\drivers\ncscv32.exe" []
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsrsp]
tuvsrsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ipmsg.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipmsg.lnk
backup=C:\WINDOWS\pss\ipmsg.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-10 22:46 624248 --a------ D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BroadcomWireless]
C:\Program Files\Broadcom\Wireless\Utility\WlanUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DBISQL9]
D:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-06-13 07:27 77824 -ra------ C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-06-13 07:27 118784 -ra------ C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-06-13 07:27 94208 -ra------ C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvscv32]
C:\WINDOWS\system32\drivers\ncscv32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
D:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SybaseCentral43]
D:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-04-29 06:13 766041 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
S3 ANTS Profiler 3 Service;ANTS Profiler 3 Service;"D:\Program Files\Red Gate\ANTS Profiler 3\RedGate.Profiler.IISProfileHost.exe"
S3 btwaudio;Bluetooth Audio Device Service;C:\WINDOWS\system32\drivers\btwaudio.sys
S3 btwavdt;Bluetooth AVDT;C:\WINDOWS\system32\drivers\btwavdt.sys
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"D:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

*Newly Created Service* - ENTDRV51

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\system32\tcpconn.exe /r
.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 18:28:26 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 23:57:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-08 23:59:49 - machine was rebooted
.
--- E O F ---

amitverma · Dec 8, 2007

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 12:36:05 AM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
d:\PROGRA~1\MICROS~2\MSSQL\binn\sqlagent.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\DOCUME~1\AMITVE~1\LOCALS~1\Temp\RtkBtMnt.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Amit Verma\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {977ED744-96FE-44F1-B015-BED5591B82B0} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E30EE3B9-A23F-421D-838E-94800D092249} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SybaseCentral43] "D:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] "D:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {975F9329-0F5F-48D2-ADF8-AEFB19DEFB5F} (ZohoMeeting Control) - http://meeting.zoho.com/login/Agent.jsp
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5126/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: tuvsrsp - tuvsrsp.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: ANTS Profiler 3 Service - Red Gate Software Ltd - D:\Program Files\Red Gate\ANTS Profiler 3\RedGate.Profiler.IISProfileHost.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

pskelley · Dec 10, 2007

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

NOTE: We do NOT ask for ComboFix etc before helpers have analysed HJT/KAV scans
http://forums.spybot.info/showthread.php?t=16806

Are your problems resolved? If not, read the directions and post the correct HJT log, version 2.0.2 and I will take a look. Please do not run and post a Kaspersky scan until I request it. If you issues are resolved, post to let me know so I can close your topic.

Thanks

amitverma · Dec 11, 2007

HJT log Version 2.0.2

Hi ,
I am not getting pop up now. i just want to make sure there is no other malwares left in system. as you asked here is log from HJT v2.0.2.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:52 AM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
d:\PROGRA~1\MICROS~2\MSSQL\binn\sqlagent.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\DOCUME~1\AMITVE~1\LOCALS~1\Temp\RtkBtMnt.exe
D:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {977ED744-96FE-44F1-B015-BED5591B82B0} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E30EE3B9-A23F-421D-838E-94800D092249} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SybaseCentral43] "D:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] "D:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [nvscv32] C:\WINDOWS\system32\drivers\ncscv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [nvscv32] C:\WINDOWS\system32\drivers\ncscv32.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {975F9329-0F5F-48D2-ADF8-AEFB19DEFB5F} (ZohoMeeting Control) - http://meeting.zoho.com/login/Agent.jsp
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5126/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvsrsp - tuvsrsp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: ANTS Profiler 3 Service - Red Gate Software Ltd - D:\Program Files\Red Gate\ANTS Profiler 3\RedGate.Profiler.IISProfileHost.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 10105 bytes

pskelley · Dec 11, 2007

Thanks for returning your information, you still have problems, I am not sure how bad, see this:
O4 - HKUS\S-1-5-18\..\Run: [nvscv32] C:\WINDOWS\system32\drivers\ncscv32.exe (User 'SYSTEM') G
O4 - HKUS\.DEFAULT\..\Run: [nvscv32] C:\WINDOWS\system32\drivers\ncscv32.exe (User 'Default user')
http://www.bleepingcomputer.com/startups/nvscv32-16906.html
http://www.sophos.com/security/analyses/w32fujacksl.html

Since this is a backdoor trojan, I would read all of that information about it and consider this information for your safety:
(may not be this serious, but I would err on the side of caution if I were you)
You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

If you wish to move against this junk, let's try combofix first:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

pskelley · Dec 22, 2007

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.

In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.

Everyone else please begin a New Topic.

Malware Removal Help

amitverma

New member

amitverma

New member

amitverma

New member

amitverma

New member

amitverma

New member

pskelley

In Memoriam -Always in our heart

amitverma

New member

pskelley

In Memoriam -Always in our heart

pskelley

In Memoriam -Always in our heart