Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Need Help !


  • Please log in to reply
3 replies to this topic

#1 rex_dragonovich

rex_dragonovich

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 13 August 2007 - 09:01 AM

I am having problem with my IE whenever i do a search on the google or yahoo search the search proceeds normally but as soon as i click a link i am redirected to fasttools.biz via easywebsearch and i cannot access the information whereas when i use the URL the IE works fine. also after i navigate through a site the error message prompting me to send error report to microsoft appears and the programs hang up until i have to restart. i ran HijackThis and ScanSpyware and thereby posting the logs generated by HijackThis Kindly help me out i would be greatfull.
i would also like to certify that i had drivecleaner malware on my system which i removed using Virtumundobegone



Logfile of HijackThis v1.99.1
Scan saved at 12:38:54 AM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\OfcpfwSvcs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\qwerty12.exe
C:\Program Files\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\BitComet\BitComet.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Vineeta\Desktop\VundoFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Vineeta\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - C:\WINDOWS\system32\AClient.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {f67a3352-b593-4376-ba61-8eebc6f5bda6} - C:\WINDOWS\system32\ltk400.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [OfcpfwSvcs.exe] C:\WINDOWS\system32\OfcpfwSvcs.exe
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{10B1979A-EB29-4028-A66F-22F244B4DED9}: NameServer = 202.56.230.6,202.56.215.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{10B1979A-EB29-4028-A66F-22F244B4DED9}: NameServer = 202.56.230.6,202.56.215.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{10B1979A-EB29-4028-A66F-22F244B4DED9}: NameServer = 202.56.230.6,202.56.215.6
O20 - AppInit_DLLs: c:\windows\system32\sstttqp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ltk400 - C:\WINDOWS\SYSTEM32\ltk400.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Antivirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

I am getting frustated by this kindlyy help me out

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:55 AM

Posted 13 August 2007 - 09:22 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

DriveCleaner Free

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - C:\WINDOWS\system32\AClient.dll
O2 - BHO: (no name) - {f67a3352-b593-4376-ba61-8eebc6f5bda6} - C:\WINDOWS\system32\ltk400.dll
O4 - HKLM\..\Run: [OfcpfwSvcs.exe] C:\WINDOWS\system32\OfcpfwSvcs.exe
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O20 - AppInit_DLLs: c:\windows\system32\sstttqp.dll
O20 - Winlogon Notify: ltk400 - C:\WINDOWS\SYSTEM32\ltk400.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\AClient.dll
C:\WINDOWS\system32\OfcpfwSvcs.exe
C:\Program Files\Common Files\DriveCleaner Free <--folder
c:\windows\system32\sstttqp.dll
C:\WINDOWS\system32\qwerty12.exe

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the box --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Reboot back into normal mode.

You have Logitech Desktop Messenger installed on your computer.
Once a week, when connected to the internet, Logitech Desktop Messenger will automatically connect with Logitech servers to see if there are any new messages for you. It performs this check during idle time to avoid slowing down other applications that may be accessing the Internet.

If there is a message on the server, then Logitech Desktop Messenger will download the message utilizing bandwidth that would otherwise be unused. After the message is downloaded, Logitech Desktop Messenger will wait for one minute of keyboard and mouse inactivity before displaying the message on your screen. I suggest doing all updates yourself and removing this application!

This will not affect any other Logitech software or hardware in any way.
Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following if they exist by double-clicking on the following entries:
Logitech Desktop Messenger

You are using the BitComet p2p file sharing program.
This is not technically malware by itself, but it installs malware in order to run properly.
It also opens the door for every other nasty program you can think of.
I strongly recommend that you remove it from your computer.
Read this article for alternatives that will provide some of the same function without the garbage:
http://www.spywareinfo.com/articles/p2p/

I suggest you remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
BitComet

This is another article you can read:
http://www.cexx.org/adware.htm

The choice to remove it is entirely up to you, but I would strongly recommend that you get rid of it.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

Download Combofix to your desktop. !! It is really important that combofix.exe is on your desktop, not somewhere else or not in a folder on your desktop.
Then go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\Owner\Desktop\combofix.exe" /v ltk400 sstttqp

Hit enter. This should start the combofix.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 rex_dragonovich

rex_dragonovich
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 15 August 2007 - 02:41 AM

here are the logs you asked Thank u for ur help

Combofixlog:

ComboFix 07-08-14.4 - "Vineeta" 2007-08-15 13:03:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.893 [GMT 5.5:30]


((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))


2007-08-15 12:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 12:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-08-14 12:14 32,768 --a------ C:\WINDOWS\system32\PdePgHlp.dll
2007-08-14 12:14 28,672 --a------ C:\WINDOWS\system32\PdeSrvps.dll
2007-08-14 12:14 200,704 --a------ C:\WINDOWS\system32\CTPdeSrv.exe
2007-08-14 12:14 143,360 --a------ C:\WINDOWS\system32\CTPmsWma.dll
2007-08-14 12:13 49,152 --a------ C:\WINDOWS\system32\ctpde.dll
2007-08-14 12:13 385,109 --a------ C:\WINDOWS\system32\ctjb2sp.dll
2007-08-14 12:13 28,672 --a------ C:\WINDOWS\system32\Jb4Inst.dll
2007-08-14 12:13 233,472 --a------ C:\WINDOWS\system32\CTPmsMan.dll
2007-08-14 12:13 16,880 --a------ C:\WINDOWS\system32\drivers\ctpdusb.sys
2007-08-14 12:13 149,504 --a------ C:\WINDOWS\UNWISE.EXE
2007-08-14 12:12 <DIR> d-------- C:\Program Files\Creative
2007-08-14 11:24 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-12 23:48 <DIR> d-------- C:\Program Files\PSTRUH
2007-08-12 21:22 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2007-08-12 21:22 <DIR> d-------- C:\WINDOWS\PrimoPDF
2007-08-12 16:54 <DIR> d-------- C:\WINDOWS\CSC
2007-08-12 16:11 <DIR> d-------- C:\VundoFix Backups
2007-08-09 17:09 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-08-09 17:07 <DIR> d-------- C:\DOCUME~1\Vineeta\APPLIC~1\Leadertech
2007-08-07 16:38 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-08-06 22:15 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-08-06 08:54 92,730 --a------ C:\WINDOWS\system32\dvdsec.dll.vir
2007-08-02 22:17 <DIR> d-------- C:\DOCUME~1\Vineeta\APPLIC~1\vlc
2007-07-25 10:47 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-07-23 17:17 <DIR> d-------- C:\Program Files\Media Player Classic
2007-07-23 17:17 <DIR> d-------- C:\DOCUME~1\Vineeta\APPLIC~1\Real
2007-07-23 17:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-07-22 13:38 <DIR> d-------- C:\DOCUME~1\Vineeta\APPLIC~1\Yahoo!
2007-07-22 13:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-07-21 22:23 <DIR> d-------- C:\DOCUME~1\Vineeta\APPLIC~1\Media Player Classic
2007-07-19 08:26 <DIR> d-------- C:\DOCUME~1\Vineeta\APPLIC~1\Dev-Cpp
2007-07-17 23:11 <DIR> d-------- C:\DOCUME~1\Vineeta\APPLIC~1\Hamachi
2007-07-17 23:10 17,480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-07-17 23:10 <DIR> d-------- C:\Program Files\Hamachi
2007-07-16 19:55 72,192 --ahs---- C:\WINDOWS\system32\autorun3.exe
2007-07-16 19:55 39,325 --ahs---- C:\WINDOWS\system32\kas.exe
2007-07-16 19:53 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-07-15 14:00 <DIR> d-------- C:\Downloads


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-15 12:54 --------- d-------- C:\Program Files\Norton Internet Security
2007-08-15 12:34 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-15 12:34 --------- d-------- C:\Program Files\Logitech
2007-08-11 15:05 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2007-08-09 15:03 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-06 00:15 --------- d-------- C:\Program Files\Norton Antivirus
2007-07-22 13:09 --------- d-------- C:\Program Files\Yahoo!
2007-07-08 21:42 --------- d-------- C:\DOCUME~1\Vineeta\APPLIC~1\Ahead
2007-07-05 06:46 --------- d-------- C:\Program Files\Common Files\FotoWire
2007-07-05 06:46 --------- d-------- C:\DOCUME~1\Vineeta\APPLIC~1\FotoWire
2007-07-05 06:45 --------- d-------- C:\Program Files\Common Files\Logitech
2007-07-04 15:30 --------- d-------- C:\DOCUME~1\Vineeta\APPLIC~1\Google
2007-07-04 15:22 --------- d-------- C:\Program Files\Google
2007-07-04 14:38 2722 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-07-04 14:36 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-07-04 13:04 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-07-03 23:07 --------- d-------- C:\Program Files\Microsoft.NET
2007-07-03 11:00 --------- d-------- C:\DOCUME~1\Vineeta\APPLIC~1\WinRAR
2007-07-03 08:34 --------- d-------- C:\DOCUME~1\Vineeta\APPLIC~1\Symantec
2007-07-03 04:58 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-07-03 04:58 --------- d-------- C:\Program Files\Common Files\ODBC
2007-07-03 00:21 --------- d-------- C:\Program Files\Canon
2007-07-03 00:19 --------- d--h----- C:\Program Files\CanonBJ
2007-07-03 00:12 --------- d-------- C:\Program Files\Common Files\Ahead
2007-07-03 00:10 --------- d-------- C:\Program Files\Nero
2007-07-02 23:57 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-02 23:56 --------- d-------- C:\Program Files\Symantec
2007-07-02 23:54 --------- d-------- C:\Program Files\SigmaTel
2007-07-02 23:52 --------- d-------- C:\Program Files\Intel
2007-07-02 23:42 0 -rahs---- C:\MSDOS.SYS
2007-07-02 23:42 0 -rahs---- C:\IO.SYS
2007-07-02 23:42 0 --a------ C:\CONFIG.SYS
2007-07-02 23:42 0 --a------ C:\AUTOEXEC.BAT
2007-07-02 23:42 --------- d-------- C:\Program Files\microsoft frontpage
2007-07-02 23:40 --------- d--h----- C:\Program Files\WindowsUpdate
2007-07-02 23:39 --------- d-------- C:\Program Files\Movie Maker
2007-07-02 23:39 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-07-02 23:37 --------- d-------- C:\Program Files\Windows NT
2007-07-02 23:37 --------- d-------- C:\Program Files\Online Services
2007-07-02 23:37 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-02 23:37 --------- d-------- C:\Program Files\Messenger


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2002-10-15 11:54]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2002-10-15 11:42]
"iamapp"="C:\Program Files\Norton Internet Security\IAMAPP.EXE" [2001-08-30 01:32]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 06:40]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"PWRISOVM.EXE"="D:\Program Files\PowerISO\PWRISOVM.EXE" [2006-06-05 19:36]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2001-08-16 17:52]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 12:33]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 15:17]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]

R2 NISSERV;Norton Internet Security Service;"C:\Program Files\Norton Internet Security\NISSERV.EXE"
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\stub.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C060D52F-8801-BA73-13B9-4C92B499D543}]
C:\WINDOWS\system32\svchost64.exe s

Contents of the 'Scheduled Tasks' folder
2007-08-03 14:30:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job - C:\PROGRA~1\NORTON~1\NAVW32.exe
2007-07-02 19:43:03 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 13:04:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-15 13:05:26
C:\ComboFix-quarantined-files.txt ... 2007-08-15 13:05
C:\ComboFix2.txt ... 2007-08-15 12:52

--- E O F ---


Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:10:01 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Vineeta\LOCALS~1\Temp\Rar$EX00.578\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{10B1979A-EB29-4028-A66F-22F244B4DED9}: NameServer = 202.56.230.6,202.56.215.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{10B1979A-EB29-4028-A66F-22F244B4DED9}: NameServer = 202.56.230.6,202.56.215.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{10B1979A-EB29-4028-A66F-22F244B4DED9}: NameServer = 202.56.230.6,202.56.215.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Antivirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe


the norton antivirus repoted Combofix as malicious file is theere anything to worry...........

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:55 AM

Posted 15 August 2007 - 03:41 AM

No, the alert over Combofix is a false positive.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please open the Suspicious File Packer you downloaded earlier.
Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\autorun3.exe
C:\WINDOWS\system32\kas.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Reboot back to normal mode.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users