Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde And Darksma...please Help!


  • This topic is locked This topic is locked
13 replies to this topic

#1 jyoshu

jyoshu

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 07 August 2007 - 09:00 AM

hi
i have the problem of winantivirus pro and drive cleaner 2006 popups.
i scanned my system with various anti virus programmes and got different results with each but the problem still persists.
with norton torjon.vondu was detected ...there were about 250 and more detected by norton but it could not clean up all the files.
i downloaded the vundofix but it has not detected any vundo on the system.
i also downloaded the fixvundo from symantec and it detected 1 infection and deleted it...on rerunning it it says no infection.
but when i run spybot it repetedly detects virtumonde and drive cleaner 2006...it keeps coming back after restarting the system also.
this is wot spybot says

virtumonde
settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dnngcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DInf
library
C:\WINDOWS\system32\Pubi32.dll

and yahoo antispy detects darksma which it removes and again when i rerun it darksma appears again.
DriveCleaner 2006
class id
HKEY_CLASSES_ROOT\CLSID\Inprocserver32

i tried to fix a few items ater going through a tutorial about hijackthis log...dunno if i was right in doing that...the only solace is my system has not crashed yet :thumbsup:
i also ran the stinger as advised in the preparation guide section and deleted all temp files etc.
kindly go through my log file and please advise on wot i should do next...my webpages suddenly stop or are not responding and i disabled third party browser extension...should i recheck it back?
thanks in advance.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:29 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\XZ653E.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\LVComsX.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14d35b66-a930-41ab-959a-e48b3171e78c} - C:\WINDOWS\system32\pubi32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp5.tmp.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Broadband] C:\Program Files\Sify Broadband\BBClient.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://www.zapak.com/games/332/SandScript.1.0.0.21.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.zapak.com/popcaploader/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5505FE9A-D81A-4159-854A-D009CC1B205B}: NameServer = 202.144.105.4,202.144.10.50
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ssqrpml.dll
O20 - Winlogon Notify: pubi32 - C:\WINDOWS\SYSTEM32\pubi32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 6936 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 07 August 2007 - 09:51 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum jyoshu :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 jyoshu

jyoshu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 07 August 2007 - 11:06 AM

hi richie...thank you so much for a prompt reply.i am not sure if this is the combofix log u asked for...as soon as the system restarted this was the notepad page that opened...i searched for the file name combofix.exe but didnot find it.
also i could not open yahoo mail from yahoo messenger after combofix finished its job...do u think it has something to do with combofix? sorry...i'm a novice ...so please excuse me for any screwup

i am posting the combofix log and hijackthis log here


ComboFix 07-08-07.5 - "home" 2007-08-07 20:55:28.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT 5.5:30]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\home\APPLIC~1\tmp1114.tmp.exe
C:\DOCUME~1\home\APPLIC~1\tmp12.tmp.exe
C:\DOCUME~1\home\APPLIC~1\tmp14.tmp.exe
C:\DOCUME~1\home\APPLIC~1\tmp4.tmp.exe
C:\DOCUME~1\home\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\home\APPLIC~1\tmp68B.tmp.exe
C:\DOCUME~1\home\APPLIC~1\tmp73.tmp.exe
C:\DOCUME~1\home\APPLIC~1\tmp7A.tmp.exe
C:\DOCUME~1\home\APPLIC~1\tmp7C.tmp.exe
C:\DOCUME~1\home\APPLIC~1\tmpF9C.tmp.exe
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\music\mainmenumusic.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\areabomb.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\beetlezap.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\bonusrow.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\bonustimer.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\bucketfilled.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\clearpyramid.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\cleartriangle1a.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\cleartriangle1b.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\cleartriangle1c.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\cleartriangle2a.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\cleartriangle2b.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\cleartriangle2c.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\colorchain.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\dialogbox.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\drumbeat.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\fillrow.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\gateopen.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\helptip.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\powerup.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\rotateboardleft.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\timerup.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\warning.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\audio\sfx\warning2.ogg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\artifacts-bb.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\bar.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\chamber0.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\chamber1.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\circledoor.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\full_screen_dialog.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\global-hs-bb_large.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\global-hs-bb_small.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\help-bb_large.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\help-bb_small.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\hexfield.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\hidden-artifact_icon.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\large_dialog.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\local-hs-bb.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\mainmenu.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\small_dialog.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\textfield.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\backgrounds\trifield.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\beetlehover1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\beetlehover2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\beetlehover3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\beetlehover4.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\beetleshock1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\beetleshock2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\beetleshock3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\beetleshock4.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\beetletatoo.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\dirt.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\scarabpost.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\scarabpostovr.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\beetles\tritop.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowdown_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowdown_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowdown_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowleft_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowleft_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowleft_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowright_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowright_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowright_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowup_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowup_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\arrowup_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\bluearrowleft_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\bluearrowleft_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\bluearrowleft_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\bluearrowright_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\bluearrowright_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\bluearrowright_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\checkdown.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\checkup.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\long_button_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\long_button_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\long_button_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\orange-button_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\orange-button_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\orange-button_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\rotleft_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\rotleft_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\rotleft_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\rotright_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\rotright_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\rotright_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\simplebutton_down.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\simplebutton_over.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\simplebutton_up.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\sliderknob.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\sliderknobover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\buttons\sliderrail.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\characters\anwar\look\pl0001.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\characters\bast\look\bl0001.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\characters\kristine\look\kl0001.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\crackedstopper.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\cursor.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\doorlights.txt
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\fonts\jackarmstrong.mvec
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\fonts\lithos.mvec
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\greybomb.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\helptips\arrowkeys.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\helptips\helptip.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\levels\levels.dat
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\models\disk.mesh
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\models\equilateraltriangle.mesh
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\models\flattri.mesh
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\models\pyramid.mesh
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\models\quad.mesh
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\models\rotatingpyramid.mesh
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\models\scarabpanel.mesh
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\p1icon.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\scenes\page1-0.xml
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\scenes\page1-1.xml
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\scenes\panel1-0-1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\scenes\panel1-1-1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\scorecloud.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\setup.xml
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\areashockwave.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\bolt_1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\bolt_2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\bolt_3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\bolt_4.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\bolt_starter.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\bolt_tail.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\flash.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\rubble.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\smoke.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\smoke2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\sfx\smoke3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\splash\aol_logo.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\splash\playfirst_logo.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\statues\statue0\snake_dirty.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\statues\statue1\arm01_dirty.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\statues\statue1\mask01_1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\statues\statue1\statue01_dirty.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\stopper.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\timer.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\timerglow.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\timericon.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\tm.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mouseblue1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mouseblue2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mouseblue3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mousegreen1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mousegreen2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mousegreen3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mousered1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mousered2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mousered3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mouseyellow1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mouseyellow2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\trails\mouseyellow3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\areabomb.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\areabombrollover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\blue.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\bluerollover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\boardfill.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\brick.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\brick1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\brick2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\brick3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\bricktip.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\clearanim\cleared1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\clearanim\cleared2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\clearanim\cleared3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\clearanim\cleared4.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\clearanim\cleared5.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\clearanim\cleared6.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\eye1.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\eye2.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\eye3.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\eye4.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\green.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\greenrollover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\plain_tri-blue.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\plain_tri-bluerollover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\plain_tri-green.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\plain_tri-greenrollover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\plain_tri-red.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\plain_tri-redrollover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\plain_tri-yellow.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\plain_tri-yellowrollover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\red.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\redrollover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\wild.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\wildrollover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\yellow.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\triangles\yellowrollover.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\upsell\image0.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\upsell\image1.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\upsell\image2.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\upsell\image3.jpg
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\bluebucket.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\buckettriangle.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\chainlink.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\chaintip.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\genericbucket.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\greenbucket.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\redbucket.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\smallblue.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\smallgreen.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\smallred.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\smallyellow.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\urnglow.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\urnplatform.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\urns\yellowbucket.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\assets\warning.png
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\error.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\game.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\gameover.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\hiscore.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\hiscoreinfo.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\hiscoresubmit.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\instructions.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\leveldesign.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\levelover.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\mainarcade.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\mainconfirm.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\maincontinue.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\maingames.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\mainpuzzle.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\maphelptip.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\options.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\pause.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\quitconfirm.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\start.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\storyplayer.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\style.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\screens\upsell.lua
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\strings.xml
C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.60\TriJinx.exe
C:\WINDOWS\system32\dn24b948d2.dat
C:\WINDOWS\system32\pubi32.dll
C:\WINDOWS\system32\ssqrpml.dll
C:\WINDOWS\system32\tmp14.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\WINDOWS\system32\tmp7C.tmp.dll
C:\WINDOWS\winsys.ini


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 20:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 12:18 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-06 16:39 <DIR> d-------- C:\Program Files\SymNetDrv
2007-08-06 16:06 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-08-06 16:05 <DIR> d-------- C:\DOCUME~1\home\APPLIC~1\Symantec
2007-08-06 16:04 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-08-06 16:04 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-06 16:04 <DIR> d-------- C:\Program Files\Symantec
2007-08-06 16:04 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-06 16:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-06 15:57 109,056 --a------ C:\VundoFix.exe
2007-08-06 08:41 <DIR> d-------- C:\HJT
2007-08-05 08:13 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-08-05 07:11 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-05 07:11 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-05 07:11 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-05 06:47 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-04 17:28 <DIR> d-------- C:\VundoFix Backups
2007-08-04 16:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-04 16:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-04 15:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-04 14:42 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-04 11:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-07-31 00:12 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-30 23:15 <DIR> d-------- C:\DOCUME~1\home\.housecall6.6
2007-07-22 18:26 24,128 --a------ C:\WINDOWS\system32\pLMXlNTn.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 16:16]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 07:59]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-08-06 16:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 20:04]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"Broadband"="C:\Program Files\Sify Broadband\BBClient.exe" [2006-04-22 09:37]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadband]
C:\Program Files\Sify Broadband\BBClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iCall Internet Phone]
"C:\Program Files\iCall\iCall.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iKeyACR.exe]
"C:\Program Files\Rainbow Technologies\iKey Components\Bin\iKeyACR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
C:\WINDOWS\system32\lsasss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
"C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 TmFilter;Trend Micro Filter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
R2 tmlisten;OfficeScanNT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R2 VSApiNt;Trend Micro VSAPI NT;\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys
R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys
S3 Pdsl2tbwc;Pdsl2tbwc;C:\WINDOWS\system32\drivers\mssmbios.sys
S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys


Contents of the 'Scheduled Tasks' folder
2007-07-24 08:18:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-06 18:30:32 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-06 19:30:32 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-06 20:30:32 C:\WINDOWS\Tasks\At3.job
2007-08-06 21:30:32 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-06 22:30:32 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-06 23:30:32 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 00:30:32 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 01:30:32 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 02:30:32 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 03:30:32 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 04:30:32 C:\WINDOWS\Tasks\At11.job
2007-08-07 05:30:32 C:\WINDOWS\Tasks\At12.job
2007-08-07 06:30:32 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 07:30:32 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 08:30:32 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 09:30:32 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 10:30:32 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-06 11:30:32 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-06 12:30:32 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 13:30:42 C:\WINDOWS\Tasks\At20.job
2007-08-07 14:30:32 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-07 15:30:02 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-06 16:30:32 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-06 17:30:32 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\pLMXlNTn.exe
2007-08-06 10:45:14 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - home.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 21:00:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 21:02:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 21:02

--- E O F ---


here is the hijackthis log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:10 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\VZDF00.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\LVComsX.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Broadband] C:\Program Files\Sify Broadband\BBClient.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://www.zapak.com/games/332/SandScript.1.0.0.21.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.zapak.com/popcaploader/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5505FE9A-D81A-4159-854A-D009CC1B205B}: NameServer = 202.144.105.4,202.144.10.50
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 6522 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 07 August 2007 - 12:12 PM

Download SmitfraudFix (by S!Ri),to your desktop.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report into your next reply.

---------------------------------------------------------

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#5 jyoshu

jyoshu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 07 August 2007 - 09:37 PM

hi
my yahoo problem is still there...i get an extra "%22http" in the browser address whenever i try to access mail from yahoo messenger...
here are the reports and logs u asked for


SmitFraudFix v2.210

Scan done at 7:35:24.48, Wed 08/08/2007
Run from C:\Documents and Settings\home\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted

DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5505FE9A-D81A-4159-854A-D009CC1B205B}: NameServer=202.144.105.4,202.144.10.50
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5505FE9A-D81A-4159-854A-D009CC1B205B}: NameServer=202.144.105.4,202.144.10.50
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5505FE9A-D81A-4159-854A-D009CC1B205B}: NameServer=202.144.105.4,202.144.10.50


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End







ComboFix 07-08-07.5 - "home" 2007-08-08 8:03:44.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.76 [GMT 5.5:30]


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-08 07:35 1,876 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-08 07:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-08 07:34 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-08 07:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-07 20:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 12:18 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-06 16:39 <DIR> d-------- C:\Program Files\SymNetDrv
2007-08-06 16:06 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-08-06 16:05 <DIR> d-------- C:\DOCUME~1\home\APPLIC~1\Symantec
2007-08-06 16:04 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-08-06 16:04 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-06 16:04 <DIR> d-------- C:\Program Files\Symantec
2007-08-06 16:04 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-06 16:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-06 15:57 109,056 --a------ C:\VundoFix.exe
2007-08-06 08:41 <DIR> d-------- C:\HJT
2007-08-05 08:13 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-08-05 07:11 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-05 07:11 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-05 07:11 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-05 06:47 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-04 17:28 <DIR> d-------- C:\VundoFix Backups
2007-08-04 16:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-04 16:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-04 15:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-04 14:42 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-04 11:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-07-31 00:12 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-30 23:15 <DIR> d-------- C:\DOCUME~1\home\.housecall6.6
2007-07-22 18:26 24,128 --a------ C:\WINDOWS\system32\pLMXlNTn.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 16:16]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 07:59]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-08-06 16:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 20:04]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"Broadband"="C:\Program Files\Sify Broadband\BBClient.exe" [2006-04-22 09:37]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadband]
C:\Program Files\Sify Broadband\BBClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iCall Internet Phone]
"C:\Program Files\iCall\iCall.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iKeyACR.exe]
"C:\Program Files\Rainbow Technologies\iKey Components\Bin\iKeyACR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
C:\WINDOWS\system32\lsasss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
"C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 TmFilter;Trend Micro Filter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
R2 tmlisten;OfficeScanNT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R2 VSApiNt;Trend Micro VSAPI NT;\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys
R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys
S3 Pdsl2tbwc;Pdsl2tbwc;C:\WINDOWS\system32\drivers\mssmbios.sys
S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys


Contents of the 'Scheduled Tasks' folder
2007-07-24 08:18:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-06 10:45:14 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - home.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 08:04:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 8:05:06
C:\ComboFix-quarantined-files.txt ... 2007-08-08 08:05
C:\ComboFix3.txt ... 2007-08-07 21:02
C:\ComboFix2.txt ... 2007-08-07 21:26

--- E O F ---








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:11 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\TEMP\IREA00.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Broadband] C:\Program Files\Sify Broadband\BBClient.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://www.zapak.com/games/332/SandScript.1.0.0.21.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.zapak.com/popcaploader/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5505FE9A-D81A-4159-854A-D009CC1B205B}: NameServer = 202.144.105.4,202.144.10.50
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 6369 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 08 August 2007 - 02:34 AM

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Download the trial version of Spy Sweeper:
http://www.webroot.com/shoppingcart/tryme....&vcode=DT14

Install it using the Standard Install option.
You will be asked for your e-mail address,it's safe to give it.
If you receive alerts from your firewall,allow all activities for Spy Sweeper.

You will be prompted to check for updated definitions,please do so,this may take several minutes so please be patient.

Once the updates have been installed,click on 'Options' and check/enable 'Full Sweep [Reccommended]'.
Click on 'Sweep',then 'Start Full Sweep' and allow it to fully scan your system.

When the sweep has finished,click 'Select All' and then click 'Quarantine Selected'.
Under the 'Summary' tab, select 'View Session Log'.
Click 'Save to File' and save the log to your desktop.

Exit Spy Sweeper.

Restart your pc,then copy and paste the SpySweeper log into your next reply.
Also post a new Hijackthis log.
Posted Image
Posted Image

#7 jyoshu

jyoshu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 08 August 2007 - 12:42 PM

hi...here are the spysweeper and hijackthis logs.



10:53 PM: Removal process completed. Elapsed time 00:00:06
10:53 PM: Quarantining All Traces: ilookup
10:53 PM: Quarantining All Traces: bho_xmlhelper
10:53 PM: Quarantining All Traces: atomiclog
10:53 PM: Removal process initiated
10:53 PM: Traces Found: 8
10:53 PM: Full Sweep has completed. Elapsed time 00:34:38
10:53 PM: File Sweep Complete, Elapsed Time: 00:30:56
10:46 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7F91000C
10:42 PM: Warning: TCompressedFile.GetStreams(2): Stream read error
10:42 PM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.
10:40 PM: C:\USMLE2007\Common\Windec32.dll (ID = 63567)
10:40 PM: Found Adware: ilookup
10:29 PM: The Internet Communication shield has blocked access to: 194.126.193.157
10:22 PM: Starting File Sweep
10:22 PM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
10:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:22 PM: Starting Cookie Sweep
10:22 PM: Registry Sweep Complete, Elapsed Time:00:00:20
10:22 PM: HKLM\software\classes\typelib\{09dc28c6-bce2-42b1-b3ea-8ab82f0f3b0a}\ (ID = 2394758)
10:22 PM: HKLM\software\classes\bho_adw.bhoad.1\ (ID = 2394741)
10:22 PM: HKLM\software\classes\bho_adw.bhoad\ (ID = 2394735)
10:22 PM: HKLM\software\classes\appid\{91c9ce76-9eb1-4a77-92a1-27c44dbbfeee}\ (ID = 2312247)
10:22 PM: HKLM\software\classes\appid\bho_adw.dll\ (ID = 2312245)
10:22 PM: Found Adware: bho_xmlhelper
10:22 PM: HKLM\software\classes\xtimers.xtimer\ (ID = 1696995)
10:22 PM: HKCR\xtimers.xtimer\ (ID = 1696023)
10:22 PM: Found System Monitor: atomiclog
10:21 PM: Starting Registry Sweep
10:21 PM: Memory Sweep Complete, Elapsed Time: 00:03:12
10:18 PM: Starting Memory Sweep
10:18 PM: Start Full Sweep
10:18 PM: Sweep initiated using definitions version 963
Keylogger: Off
10:17 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
10:17 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
E-mail Attachment: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:17 PM: Shield States
10:16 PM: Spyware Definitions: 963
10:16 PM: Spy Sweeper 5.5.7.48 started
10:16 PM: Spy Sweeper 5.5.7.48 started
10:16 PM: | Start of Session, Wednesday, August 08, 2007 |
***************
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:02 PM: Shield States
10:02 PM: License Check Status (0): Success
10:01 PM: Spyware Definitions: 963
10:01 PM: Spy Sweeper 5.5.7.48 started
10:01 PM: Spy Sweeper 5.5.7.48 started
10:01 PM: | Start of Session, Wednesday, August 08, 2007 |
***************




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:49 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\BF808C.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Broadband] "C:\Program Files\Sify Broadband\BBClient.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://www.zapak.com/games/332/SandScript.1.0.0.21.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.zapak.com/popcaploader/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5505FE9A-D81A-4159-854A-D009CC1B205B}: NameServer = 202.144.105.4,202.144.10.50
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7234 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 09 August 2007 - 02:39 AM

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

Also post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#9 jyoshu

jyoshu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 09 August 2007 - 06:53 AM

hi
here is the kaspersky report and hijackthis log. i have not been getting any popups after the first step u told me to do.
as of now the only problem is yahoo mail not opening from messenger...i have started using firefox and it seems to work fine.
kindly tell me if i need to save all these antivirus programmes on my desktop?
thanks so much


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 09, 2007 5:01:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 9/08/2007
Kaspersky Anti-Virus database records: 354101
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 46870
Number of viruses found: 3
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:31:30

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pLMXlNTn.exe Infected: Trojan.Win32.Agent.avd skipped
C:\WINDOWS\system32\NeroCheck.exe Infected: Virus.Win32.Agent.ab skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-08-09_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\home\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\home\Local Settings\Temp\~DF6499.tmp Object is locked skipped
C:\Documents and Settings\home\Local Settings\Temp\~DF46B6.tmp Object is locked skipped
C:\Documents and Settings\home\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\home\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\home\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\home\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\home\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20070809.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqrpml.dll.vir Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

Scan process completed.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:20:12 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\AP8A17.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Broadband] "C:\Program Files\Sify Broadband\BBClient.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://www.zapak.com/games/332/SandScript.1.0.0.21.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.zapak.com/popcaploader/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5505FE9A-D81A-4159-854A-D009CC1B205B}: NameServer = 202.144.105.4,202.144.10.50
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7100 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 09 August 2007 - 07:21 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\pLMXlNTn.exe
C:\WINDOWS\system32\NeroCheck.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image.
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.
----------------------------------------------------

Find and delete:
Combofix.exe
SmitfraudFix

C:\VundoFix Backups
C:\QOOBOX

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.
----------------------------------------------------
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Restart your pc.
Post the OTMoveIt log,let me know if you're still having problems.
Posted Image
Posted Image

#11 jyoshu

jyoshu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 09 August 2007 - 09:39 AM

hi RichieUK
here is the OTmoveIT report

C:\WINDOWS\system32\pLMXlNTn.exe moved successfully.
C:\WINDOWS\system32\NeroCheck.exe moved successfully.

Created on 08/09/2007 19:40:18


:thumbsup: as of now i don't think my system has any more problems...thankyou so much for your time and patience.
is there anything else i should do?

Edited by jyoshu, 09 August 2007 - 09:42 AM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 09 August 2007 - 09:49 AM

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Other than the above,you're good to go :thumbsup:
Posted Image
Posted Image

#13 jyoshu

jyoshu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 09 August 2007 - 10:30 AM

thanks a lot again RichieUK...THANKU very much

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 09 August 2007 - 10:47 AM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users