My computer is sending hundreds of spam emails as soon as I am connected to internet

[tsreddi]

My issue is similar to the issue in :http://forums.spybot.info/showthread.php?t=6059

I tried to update my symantec and run scans so many times without any result. I followed the steps in link: http://forums.spybot.info/showthread.php?t=288



Here is the log from HijackThis
---------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:20 PM, on 12/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070621
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070621
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.co.in/s/v/57.11/uploader2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04EC07C5-3076-428D-915F-AD871D5E7095}: NameServer = 218.248.240.180 218.248.240.79
O17 - HKLM\System\CS2\Services\Tcpip\..\{04EC07C5-3076-428D-915F-AD871D5E7095}: NameServer = 218.248.240.180 218.248.240.79
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/shyam/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 9255 bytes
------------------------------------------------------------------


Please let me know any more info is needed.

thanks

 

[shelf life]

hi tsreddi,

Your log is a few days old. If you still need help simply reply to my post.

 

[tsreddi]

This is my latest log.... I need some help here..

----------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:40 AM, on 1/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070621
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070621
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.co.in/s/v/57.11/uploader2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04EC07C5-3076-428D-915F-AD871D5E7095}: NameServer = 218.248.240.180 218.248.240.79
O17 - HKLM\System\CS2\Services\Tcpip\..\{04EC07C5-3076-428D-915F-AD871D5E7095}: NameServer = 218.248.240.180 218.248.240.79
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/shyam/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 10236 bytes

 

[shelf life]

hi,

ok we will get two downloads to use. The first is called Combofix. There is a guide to read first before you use it. Use combofix first. The second one is Malwarebytes. Use it after combofix is done.

Read the guide, download combofix, save it to your desktop. Disable any running AV or anti-malware, double click the icon and follow the prompts.

Guide to using Combofix

Malwarebytes:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

 

[tsreddi]

ComboFix:

I downloaded and run combofix. It ran fine till it reached 'delete files' step then it encountered some Error and needed a hard reboot of my system.

MalwareBytes:
Anyway went ahead and ran this one. I think it has detected some issues.

I am pasting the log here:

---------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.43
Database version: 3469
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/2/2010 1:08:32 AM
mbam-log-2010-01-02 (01-08-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 200815
Time elapsed: 58 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{18b0e5c2-99cb-11cf-ayx5-00401c648513} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drivers\jklewc.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\shyam\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

----------------------------------------------------------------------


After the reboot my system looks fine but I am not sure about future.

Thanks for the help. Please let me know if I need to do any more. Thanks once again.

 

[shelf life]

ok.good. Hold off on using Combofix for now. After Malwarebytes ran you rebooted at the prompt? Check Malwarebytes for any updates and run it once more and post the log.

 

[tsreddi]

Here is the latest log from Malwarebytes. It looks like another trojan found....
------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.43
Database version: 3474
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/2/2010 10:17:10 AM
mbam-log-2010-01-02 (10-17-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 200928
Time elapsed: 56 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jgaw400.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

 

[shelf life]

ok. One more download to get. Its called rootrepeal. Link and directions:

http://ad13.geekstogo.com/RootRepeal.exe



Click the icon on your desktop to start.

Click on the Report tab at the bottom of the window

Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
Dont run any software while RootRepeal is running
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit

Post the report in your reply

 

[tsreddi]

Here is the log from ROOTREPEAL:

----------------------------------------------------------


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/02 19:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA95F0000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B73000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF7B15000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8E58000 Size: 49152 File Visible: No Signed: -
Status: -

Name: saqopql.sys
Image Path: saqopql.sys
Address: 0xF75BD000 Size: 54016 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x87117420

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86df5a78

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x870978f0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86eefc00

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86f6d090

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8704f0c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa9a0f350

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x87020940

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x870520c0

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x87053a10

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x86e32aa8

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86f55090

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86d5db58

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8688c9e0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x86e3cee8

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x86e3bdb0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x868919e0

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86e14ce0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86836b20

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa9a0f580

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86f6f090

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86df1a78

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86e3ac78

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86e22ba8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x86894890

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86cbfcf0

==EOF==

 

[shelf life]

ok thanks for the info. When you ran Combofix, you where able to install the recovery console? That would have been one of the prompts from running combofix.
If the recovery console is installed go ahead and try running combofix again after you disable your Av and any running anti-malware.

 

[tsreddi]

I am still having same problem with ComboFix. May it is becoz I am unable to disable Symantec anti virus completely. That is the only thing I did not follow from the ComboFix guide I cannot afford to uninstall Symantec anti virus at this point. Is there any alternate to ComboFix that I can run?

thanks.

 

[shelf life]

ok. Lets see if we can dump some temp files in safe mode and run combofix.
You might want to copy/paste this into notepad and save it so you can find it in safe mode.
To help show all files do this:

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok


Next you would boot machine into safe mode, to reach safe mode you would tap the f8 key during a computer restart and chose the first option; safe mode
Once at the safe mode desk top:

Click Start>Run then type %temp%
click OK or enter. Delete all the files you can.

click Start>Run then type %windir%\temp
hit ok or enter, delete all the files you can

Take a look here and delete what you can:

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\


C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

Last:
Go to Start > Run and type:cleanmgr. Click ok or enter, Windows will scan. When done check these 3 and press *ok* to remove:


Temporary Files
Temporary Internet Files
Recycle Bin

Double click the Combofix icon and see if it runs ok in safe mode.

 

[tsreddi]

Yes, I was able to run Combofix in safemode. Here is the log from the tool.

********************************************************
ComboFix 09-12-31.A1 - shyam 01/04/2010 14:05:42.4.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.777 [GMT 5.5:30]
Running from: c:\documents and settings\shyam\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\windows\deca5f07-5a00-4716-8465-3efaca97303b.ocx
c:\windows\system32\b21672ec-5b1b-40a6-91a9-92cddcd30ac3.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))
.

2010-01-01 18:36 . 2010-01-01 18:36 -------- d-----w- c:\documents and settings\shyam\Application Data\Malwarebytes
2010-01-01 18:36 . 2009-12-30 09:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 18:36 . 2010-01-01 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 18:36 . 2009-12-30 09:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 18:36 . 2010-01-01 18:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 15:31 . 2009-12-28 15:31 -------- d-----w- c:\program files\ERUNT
2009-12-28 15:24 . 2009-12-28 15:24 -------- d-----w- c:\program files\Trend Micro
2009-12-28 14:38 . 2009-12-28 14:38 -------- d-----w- c:\documents and settings\shyam\Application Data\Uniblue
2009-12-28 13:37 . 2009-12-28 13:37 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-28 11:13 . 2009-12-28 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-28 11:13 . 2009-12-28 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-23 11:00 . 2009-12-23 11:28 -------- d-----w- c:\documents and settings\shyam\Application Data\FreeFixer
2009-12-23 11:00 . 2009-12-23 11:00 -------- d-----w- c:\documents and settings\shyam\Local Settings\Application Data\FreeFixer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 07:44 . 2008-08-28 07:18 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-28 15:07 . 2007-08-11 20:47 -------- d-----w- c:\program files\Real
2009-12-28 11:13 . 2007-08-11 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-24 05:38 . 2008-08-28 07:01 -------- d-----w- c:\program files\ATInet
2009-12-20 16:11 . 2007-08-11 21:00 -------- d-----w- c:\documents and settings\shyam\Application Data\Skype
2009-12-20 05:40 . 2009-12-20 05:40 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
2009-10-29 07:45 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-10 17:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 17:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 17:51 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 17:51 79872 ----a-w- c:\windows\system32\raschap.dll
2007-02-06 15:25 . 2008-07-04 13:51 5005698 ----a-w- c:\program files\jakarta-tomcat-5.5.11.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-11 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-05 198160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-19 1724416]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-22 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2008-12-13 12:21 98304 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-02-20 17:29 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 05:43 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATInet\\Extranet.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S0 jklewc;jklewc; [x]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [8/15/2009 10:26 PM 233472]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 2:04 PM 102448]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [8/15/2009 10:26 PM 36608]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.co.in/s/v/57.11/uploader2.cab
FF - ProfilePath - c:\documents and settings\shyam\Application Data\Mozilla\Firefox\Profiles\uyodr1o0.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
HKLM-Run-NPSStartup - (no file)
AddRemove-FreeWAVToMP3Converter - c:\program files\Free WAV To MP3 Converter\Uninst.exe
AddRemove-Pdf995 - c:\program files\pdf995\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-04 14:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(212)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-01-04 14:14:31
ComboFix-quarantined-files.txt 2010-01-04 08:44

Pre-Run: 16,405,663,744 bytes free
Post-Run: 16,364,064,768 bytes free

- - End Of File - - C02440DF17043ACEADCE0F9823214183

 

[shelf life]

ok good. See if you can run it again while in normal mode. If so post the log.

 

[tsreddi]

Again ComboFix crashed with error 'BAD_POOL_HEADER' but this time after I saw the messages that log is being generated. Earlier it used crash while deleting files.

Thanks.

 

[shelf life]

Take a look here: C:\ComboFix.txt and see if you can copy/paste the log in your reply if its there. Before you ran combofix you disabled any AV and any running anti-malware, closed any open winodws and didnt run any programs?

 

[tsreddi]

Here is Combofix.txt found in c:/combofix/. I turned off all the programs except Norton anti virus. No other program or anti malware were running at that point.

*******************************************************

ComboFix 09-12-31.A1 - shyam 01/05/2010 10:46:39.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.509 [GMT 5.5:30]
Running from: C:\Documents and Settings\shyam\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-01 18:36:30 . 2010-01-01 18:36:30 -------- d-----w- C:\Documents and Settings\shyam\Application Data\Malwarebytes
2010-01-01 18:36:23 . 2009-12-30 09:25:24 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-01-01 18:36:20 . 2010-01-01 18:36:20 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-01-01 18:36:20 . 2009-12-30 09:24:58 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-01-01 18:36:19 . 2010-01-01 18:36:28 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-28 15:31:38 . 2009-12-28 15:31:44 -------- d-----w- C:\Program Files\ERUNT
2009-12-28 15:24:20 . 2009-12-28 15:24:20 -------- d-----w- C:\Program Files\Trend Micro
2009-12-28 14:38:01 . 2009-12-28 14:38:01 -------- d-----w- C:\Documents and Settings\shyam\Application Data\Uniblue
2009-12-28 13:37:45 . 2009-12-28 13:37:45 552 ----a-w- C:\WINDOWS\system32\d3d8caps.dat
2009-12-28 11:13:31 . 2009-12-28 12:16:43 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Norton
2009-12-28 11:13:18 . 2009-12-28 11:13:18 -------- d-----w- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-12-23 11:00:42 . 2009-12-23 11:28:33 -------- d-----w- C:\Documents and Settings\shyam\Application Data\FreeFixer
2009-12-23 11:00:42 . 2009-12-23 11:00:42 -------- d-----w- C:\Documents and Settings\shyam\Local Settings\Application Data\FreeFixer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 04:51:30 . 2008-08-28 07:18:09 -------- d-----w- C:\Program Files\Symantec AntiVirus
2009-12-28 15:07:43 . 2007-08-11 20:47:11 -------- d-----w- C:\Program Files\Real
2009-12-28 11:13:31 . 2007-08-11 01:09:26 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Symantec
2009-12-24 05:38:34 . 2008-08-28 07:01:45 -------- d-----w- C:\Program Files\ATInet
2009-12-20 16:11:39 . 2007-08-11 21:00:54 -------- d-----w- C:\Documents and Settings\shyam\Application Data\Skype
2009-12-20 05:40:26 . 2009-12-20 05:40:22 16 ----a-w- C:\WINDOWS\system32\config\systemprofile\Application Data\fvgqad.dat
2009-10-29 07:45:38 . 2004-08-10 17:51:29 916480 ------w- C:\WINDOWS\system32\wininet.dll
2009-10-21 05:38:36 . 2004-08-10 17:51:26 75776 ----a-w- C:\WINDOWS\system32\strmfilt.dll
2009-10-21 05:38:36 . 2004-08-10 17:51:09 25088 ----a-w- C:\WINDOWS\system32\httpapi.dll
2009-10-20 16:20:16 . 2004-08-04 04:00:14 265728 ----a-w- C:\WINDOWS\system32\drivers\http.sys
2009-10-13 10:30:16 . 2004-08-10 17:51:17 270336 ----a-w- C:\WINDOWS\system32\oakley.dll
2009-10-12 13:38:19 . 2004-08-10 17:51:20 149504 ----a-w- C:\WINDOWS\system32\rastls.dll
2009-10-12 13:38:18 . 2004-08-10 17:51:20 79872 ----a-w- C:\WINDOWS\system32\raschap.dll
2007-02-06 15:25:42 . 2008-07-04 13:51:37 5005698 ----a-w- C:\Program Files\jakarta-tomcat-5.5.11.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 07:24:00 20480]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-11 01:21:14 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 00:12:28 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 04:13:38 176128]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 07:44:18 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 07:41:08 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 07:45:00 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 08:00:36 132496]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-22 22:35:50 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 21:30:44 282624]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 01:29:52 49152]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 21:50:42 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 21:50:18 81920]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 17:03:00 36864]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 16:46:38 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 05:20:30 413696]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 12:08:28 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 14:19:02 125632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2009-11-05 02:27:51 198160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-19 1724416]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-6-22 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2008-12-13 12:21:46 98304 ----a-w- C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-02-20 17:29:08 1191936 ----a-w- C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22:02 3739648 ----a-w- C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 05:43:26 267048 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50:42 155648 ----a-w- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\ATInet\\Extranet.exe"=
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [8/15/2009 10:26:29 PM 233472]
R2 SavRoam;SAVRoam;C:\Program Files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48:56 PM 116416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 2:04:39 PM 102448]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [8/15/2009 10:26:29 PM 36608]
S0 jklewc;jklewc; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.co.in/s/v/57.11/uploader2.cab
FF - ProfilePath - C:\Documents and Settings\shyam\Application Data\Mozilla\Firefox\Profiles\uyodr1o0.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: C:\Program Files\Google\Picasa3\npPicasa3.dll
.

***************************************************

Thanks

 

[shelf life]

ok thanks for the info. Hows it looking on your end now?

 

[tsreddi]

For now I dont see any unusal traffic on my n/w. Do you suggest me to keep all the tools I have used or I can just delete/uninstall them. anyway thanks for all the help.

Thanks.

 

[shelf life]

Run rootRepeal once more and post the log.