Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help! Getting Popups All The Time


  • Please log in to reply
5 replies to this topic

#1 shankar

shankar

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 28 August 2007 - 10:24 PM

Hello,

I suddenly started to get popups and I have tried Microsoft and yahoo antispy and antivirus. They come back andsay its all deleted buton rebooting its still there. One of the spywares found is darksma and I have been unsuccessful in getting rid of it. I am posting my Hijackthis log. Any help would be greatly appreciated.

Thanks
Shankar

Attached Files



BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 29 August 2007 - 07:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum shankar :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

Copy and paste the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-


Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
*.verizon.com
k2.basit.com:7001;
*.basit.com;
*.bellatlantic.com;
113.128.2.127;
192.76.88.202;
113.128.3.63;
113.128.3.235;
naturalsound.svc.tellme.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 113.128.142.112 cdirst01
O1 - Hosts: 113.128.142.168 dolphin
O1 - Hosts: 113.128.142.170 planck
O1 - Hosts: 113.128.128.229 ugwld1crvpa02
O1 - Hosts: 143.91.61.8 urrdpuvp02
O1 - Hosts: 143.91.61.9 urrdpuvp03
O1 - Hosts: 113.128.128.47 vctxst02
O1 - Hosts: 113.130.193.244 f2scqta2
O1 - Hosts: 144.28.52.17 USCAGOLPATS01
O1 - Hosts: 107.3749.9 USNYMEN11WS02
O1 - Hosts: 107.3749.7 USNYMEN11WS01
O1 - Hosts: 104.132.30.150 USNYTRYSAVS01
O1 - Hosts: 144.70.113.8 USILCBDMONS02
O1 - Hosts: 161.128.126.29 USMABURBUDS06
O1 - Hosts: 161.128.8.48 USMABURBUDS05
O1 - Hosts: 104.139.2.132 USNYKNGBRDS01
O1 - Hosts: 161.128.126.27 USMABURBUDS03
O1 - Hosts: 138.83.34.28 USTXCOPSV1S08
O1 - Hosts: 138.83.36.53 USTXCOPSV1S07
O1 - Hosts: 138.83.34.45 USTXCOPSV1S04
O1 - Hosts: 138.83.34.44 USTXCOPSV1S03
O1 - Hosts: 139.49.192.12 USTXCOPSV1S02
O1 - Hosts: 161.128.162.171 USNYMNHPRLS05
O1 - Hosts: 141.156.23.47 USMDCOCYASS04
O1 - Hosts: 141.156.23.45 USMDCOCYASS03
O1 - Hosts: 141.149.187.24 USPALEVFALS02
O1 - Hosts: 143.91.61.41 USTXIRVRRGS03
O1 - Hosts: 161.128.162.150 USNYMNHPRLS04
O1 - Hosts: 136.151.101.109 USFLCLRCLES02
O1 - Hosts: 161.128.162.137 USNYMNHPRLS03
O1 - Hosts: 151.205.63.31 USPALEVFALS01
O1 - Hosts: 143.91.61.40 USTXIRVRRGS02
O1 - Hosts: 136.151.101.108 USFLCLRCLES01
O1 - Hosts: 144.28.170.20 USCAPOMA05S02
O1 - Hosts: 141.156.23.10 USMDCOCYASS01
O1 - Hosts: 161.128.162.135 USNYMNHPRLS02
O1 - Hosts: 161.128.145.248 USNYMNHPRLS01
O1 - Hosts: 159.161.147.223 USCAPOMA05S01
O1 - Hosts: 151.205.79.132 USPACSHFAYS01
O1 - Hosts: 136.151.115.82 USFLTPA301S02
O1 - Hosts: 136.151.115.82 USFLTPA301S01
O1 - Hosts: 138.83.70.38 USFLTTPSTCS09
O1 - Hosts: 138.83.70.37 USFLTTPSTCS08
O1 - Hosts: 104.148.58.84 USNYMNHWESS02
O1 - Hosts: 136.151.208.185 USFLTTPSTCS07
O1 - Hosts: 104.148.58.82 USNYMNHWESS01
O1 - Hosts: 138.83.66.40 USFLTTPSTCS04
O1 - Hosts: 104.6.5.104 USMAHYNNRTS01
O1 - Hosts: 138.83.66.56 USFLTTPSTCS03
O1 - Hosts: 143.91.99.35 USTXIRVHQWS03
O1 - Hosts: 141.157.79.196 USVARICHSRS01
O1 - Hosts: 161.128.238.56 USNYPRLBHDSC2
O1 - Hosts: 143.91.100.135 USTXIRVHQWS02
O1 - Hosts: 161.128.238.55 USNYPRLBHDSC1
O1 - Hosts: 143.91.100.9 USTXIRVHQWS01
O1 - Hosts: 104.153.66.16 USNYPTCOCNS01
O1 - Hosts: 143.91.233.133 USTXIRVCARS01
O1 - Hosts: 162.83.31.69 USNJSCOCELS02
O1 - Hosts: 104.132.28.151 USNYNTNTRMS01
O1 - Hosts: 141.239.50.1 USHIHNLMBYS01
O1 - Hosts: 144.28.133.14 USCASFSLNRS01
O1 - Hosts: 162.83.31.68 USNJSCOCELS01
O1 - Hosts: 162.83.21.5 USNJMAM11SS01
O1 - Hosts: 161.128.43.200 USMABOSHISS01
O1 - Hosts: 162.83.76.70 USNJSPLHADS01
O1 - Hosts: 151.196.20.20 USMDSILCOLS01
O1 - Hosts: 141.150.76.108 USNJMLAMIDS01
O1 - Hosts: 141.154.100.14 USPAPHIRACS01
O1 - Hosts: 105.38.11.95 USNYGRDZCKS03
O1 - Hosts: 105.38.11.48 USNYGRDZCKS02
O1 - Hosts: 105.38.11.46 USNYGRDZCKS01
O1 - Hosts: 141.157.33.6 USVAROAAIRS02
O1 - Hosts: 141.157.33.8 USVAROAAIRS01
O1 - Hosts: 104.8.1.86 USNHMNCLMSS01
O1 - Hosts: 104.132.34.163 USNYBFFELMS01
O1 - Hosts: 159.161.39.168 USMOWENBLDS03
O1 - Hosts: 141.157.119.42 USVANEWNEWS01
O1 - Hosts: 159.161.39.165 USMOWENBLDS01
O1 - Hosts: 105.38.114.181 USNYMNHW5SS01
O1 - Hosts: 144.70.105.218 USILBLMMONS01
O1 - Hosts: 141.157.72.11 USVARICMAIS01
O1 - Hosts: 141.152.119.12 USNJMADPARS03
O1 - Hosts: 141.152.119.11 USNJMADPARS01
O1 - Hosts: 132.197.120.82 USMAWLTSYLS01
O1 - Hosts: 151.198.23.98 USPAWILWCOS01
O1 - Hosts: 104.132.6.118 USNYALBSTTS02
O1 - Hosts: 162.83.18.248 USNJHPL657S01
O1 - Hosts: 104.132.6.116 USNYALBSTTS01
O1 - Hosts: 161.128.100.186 USMATNTMYLS03
O1 - Hosts: 161.128.100.184 USMATNTMYLS02
O1 - Hosts: 161.128.100.193 USMATNTMYLS01
O1 - Hosts: 144.70.150.95 USMIMUKTERS01
O1 - Hosts: 104.139.3.7 USNYELRWCHS01
O1 - Hosts: 143.91.13.20 USTXIRVHQES02
O1 - Hosts: 143.91.12.54 USTXIRVHQES01
O1 - Hosts: 141.149.187.36 USVAFCHFAIS02
O1 - Hosts: 141.149.187.27 USVAFCHFAIS01
O1 - Hosts: 136.151.70.14 USFLTPATCCS01
O1 - Hosts: 144.28.176.125 USCAIRWAZUS02
O1 - Hosts: 104.2.5.239 USMEPRTFRSS01
O1 - Hosts: 139.49.7.9 USCACALAGRS02
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp1B0.tmp.dll
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp...302/Coupons.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O20 - AppInit_DLLs: c:\windows\system32\tuvvspq.dll

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

Download Systemscan and save it to your desktop.
Double-click on Systemscan.exe to run the tool.
A warning box will appear. Please read and click Ok.
When SystemScan opens, click the "Unselect all" button.
Important: under "Make your choice and than click..." check the boxes next to:

PC accounts
Recent files (60 days)
Hidden Objects


Everything else should be unchecked.
Click "Scan Now".
Another warning box will appear. Please follow the instructions and click Ok.
Systemscan will scan your computer and create a folder at C:\suspectfile to save the log files. Please be patient while the scan is in progress.
When the scan is complete, Notepad will automatically open a log file named report.txt.
This log file will show a list of all user accounts, all files/folders created in the last 60 days and any Hidden files that were found.
Copy and paste the contents of report.txt in your next reply.

Also post a new Hijackthis log please.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 shankar

shankar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 30 August 2007 - 01:01 AM

Hello Richie,

Thanks for helping me out with the problem. Here are the reports you had asked for. I am attaching the report.txt for suspectfile as the file is too big for the post.

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:00 AM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINDOWS\system32\IMWEBSTA.EXE
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=...633151439163102
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.verizon.com/cgi-bin/getProxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.verizon.com:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe"
O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - S-1-5-19 Startup: Acrobat60.vbs (User 'LOCAL SERVICE')
O4 - S-1-5-18 Startup: Acrobat60.vbs (User 'SYSTEM')
O4 - .DEFAULT Startup: Acrobat60.vbs (User 'Default user')
O4 - .DEFAULT User Startup: Acrobat60.vbs (User 'Default user')
O4 - .DEFAULT User Startup: PowerFix.vbs (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.43/uploader2.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (Software Center) - http://us.dl1.yimg.com/download.yahoo.com/...ntr_current.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173826364247
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = its.verizon.com
O17 - HKLM\Software\..\Telephony: DomainName = its.verizon.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BA299BB-B8BE-47C1-866E-DA5656C1B2CE}: NameServer = 113.128.189.1,113.128.189.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = verizon.com,basit.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: PsShutdown (PsShutdownSvc) - Systems Internals - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\winvnc.exe

--
End of file - 9484 bytes

-------------------------------------------------

SDFix report.txt


SDFix: Version 1.100

Run by Shankar on Wed 08/29/2007 at 11:59 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\Shankar\Application Data\tmp1AE.tmp.exe - Deleted
C:\Documents and Settings\Shankar\Application Data\tmp1B0.tmp.exe - Deleted
C:\WINDOWS\system32\tmp1B0.tmp.dll - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Documents and Settings\\Shankar\\Application Data\\tmp1AF.tmp.exe"="C:\\Documents and Settings\\Shankar\\Applic"
"C:\\WINDOWS\\system32\\qwerty12.exe"="C:\\WINDOWS\\system32\\qwe"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"c:\\windows\\system32\\rlvknlg.exe"="c:\\windows\\system32\\rlvknlg.exe:*:Enabled:rlvknlg.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\uccspecb.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\Shankar\Application Data\Microsoft\Word\~WRL0360.tmp
C:\Documents and Settings\Shankar\Application Data\Microsoft\Word\~WRL1880.tmp
C:\Documents and Settings\Shankar\My Documents\My Received Files\~WRL2906.tmp
C:\Program Files\InterActual\InterActual Player\iti128.tmp

Finished

Attached Files



#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 30 August 2007 - 04:35 AM

Find and delete:
C:\ihggjl.ini

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 shankar

shankar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 30 August 2007 - 11:33 PM

Combo.txt

ComboFix 07-08-30.3 - "Shankar" 2007-08-30 15:54:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.402 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\silc_dll.dll


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


2007-08-30 15:52 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-29 23:57 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-28 22:32 <DIR> d-------- C:\backups
2007-08-28 22:01 401,720 --a------ C:\HiJackThis.exe
2007-08-27 13:57 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-27 00:08 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-26 18:17 1,203,318 --a------ C:\WINDOWS\system32\dn882dbc31.dat
2007-08-25 11:47 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-08-25 11:47 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-08-25 11:47 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-08-24 23:42 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-08-24 23:38 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-08-24 23:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-08-24 23:26 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-08-24 23:24 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2007-08-24 23:23 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2007-08-16 22:16 <DIR> d-------- C:\WINDOWS\provisioning
2007-08-13 19:20 <DIR> d-------- C:\DOCUME~1\Shankar\APPLIC~1\DivX
2007-08-13 19:19 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-08-13 19:19 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-13 19:19 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-08-13 19:19 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-08-13 19:19 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-08-03 14:49 <DIR> d-------- C:\DOCUME~1\Shankar\APPLIC~1\TVU Networks
2007-07-26 18:06 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-26 18:06 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 18:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 18:06 144,704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 18:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 22:30 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-07-25 22:25 <DIR> d-------- C:\Program Files\clone2burner
2007-07-19 19:42 4 --ah----- C:\WINDOWS\uccspecb.sys
2007-07-12 13:00 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-11 21:22 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-07-11 21:22 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-07-11 21:05 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-07-11 21:05 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-07-11 21:05 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-07-11 19:25 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-07-11 19:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-07-11 19:23 <DIR> d-------- C:\Program Files\Common Files\HP
2007-07-11 19:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-07-11 19:18 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-07-11 19:18 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-07-11 19:18 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-07-11 19:18 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-07-11 19:18 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-07-11 19:18 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-07-11 19:14 <DIR> d-------- C:\Program Files\HP
2007-07-11 19:12 <DIR> d-------- C:\DOCUME~1\Shankar\APPLIC~1\HP
2007-07-11 19:04 79,231 --a------ C:\WINDOWS\hpfins05.dat
2007-07-11 19:04 1,350 --------- C:\WINDOWS\hpfmdl05.dat
2007-07-11 19:03 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-07-11 19:03 37,376 --a------ C:\WINDOWS\system32\hpz3l3xu.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-27 13:50 --------- d-------- C:\Program Files\PC-Doctor for Windows
2007-08-25 18:22 --------- d-------- C:\Program Files\Yahoo!
2007-08-24 23:38 879832 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-08-24 23:38 108360 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-08-24 23:29 --------- dr-h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-08-24 23:26 74864 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-08-24 23:26 21031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-08-24 23:26 15735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-08-24 23:26 15478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-08-24 23:26 115824 --a------ C:\WINDOWS\UnVet32.exe
2007-08-24 23:26 111728 --a------ C:\WINDOWS\AVShlExt.dll
2007-08-24 22:58 --------- d-------- C:\DOCUME~1\Shankar\APPLIC~1\Azureus
2007-08-23 21:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-08-22 01:04 --------- d-------- C:\Program Files\Azureus
2007-08-21 21:27 --------- d-------- C:\Program Files\MSN Messenger
2007-08-13 19:20 --------- d-------- C:\Program Files\DivX
2007-08-12 13:27 --------- d-------- C:\Program Files\QuickTime
2007-08-12 13:16 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 18:06 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-26 18:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 18:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-26 18:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-26 18:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-26 18:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-26 18:03 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 18:03 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-26 18:03 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 18:03 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-26 18:03 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-26 18:03 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-26 18:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-26 18:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-03 20:26 --------- d-------- C:\Program Files\Lavasoft
2007-07-03 20:26 --------- d-------- C:\DOCUME~1\Shankar\APPLIC~1\Lavasoft
2007-06-26 10:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 09:09 658944 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 13:09 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 13:09 615424 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 13:09 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 13:09 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 13:09 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 13:09 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 13:09 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 13:09 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 13:09 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 13:09 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 13:09 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 13:09 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 13:09 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 13:09 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 13:09 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 13:09 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 13:09 1023488 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 09:07 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2005-05-11 23:36 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll
2003-06-18 12:27 1523 -----c--- C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 08:53 C:\WINDOWS\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 13:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 14:34]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 14:33]
"TP4EX"="tp4ex.exe" [2002-02-22 03:04 C:\WINDOWS\system32\TP4EX.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2002-02-28 16:26]
"ACUMon"="C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" [2003-02-19 13:52]
"IMWEBSTA.EXE"="IMWEBSTA.exe" [2002-05-28 23:28 C:\WINDOWS\system32\IMWEBSTA.exe]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-12-17 04:42]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"dvd43"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"TrackPointSrv"="tp4serv.exe" [2002-03-20 05:05 C:\WINDOWS\system32\tp4serv.exe]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-08-24 23:26]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-08-24 23:26]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
"Notification Packages"= scecli pwdmon

R0 ANCSQ;ANCSQ;C:\WINDOWS\system32\drivers\ANCSQ.sys
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R2 CcmExec;SMS Agent Host;C:\WINDOWS\System32\CCM\CcmExec.exe
R2 ibmfilter;ibmfilter;\??\C:\WINDOWS\System32\drivers\ibmfilter.sys
R3 IMWEB51;High Rate Wireless LAN Mini-PCI LAN Driver;C:\WINDOWS\system32\DRIVERS\IMWEBN51.sys
S3 GearAspiWDM_BackUp;GEARAspiWDM;C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;C:\oracle\ora81\BIN\ONRSD.EXE
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\PROGRA~1\PC-DOC~1\PCDRDRV.sys
S3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys
S3 PCX500MP;Cisco 350 Series Lower Device Filter;C:\WINDOWS\system32\DRIVERS\pcx500mp.sys
S3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\System32\CCM\prepdrv.sys
S3 PsShutdownSvc;PsShutdown;C:\WINDOWS\System32\PSSDNSVC.EXE
S3 pwalker;Process Walker Driver;\??\C:\DOCUME~1\Shankar\LOCALS~1\Temp\nsi3.tmp\pwalker.sys
S3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys


Contents of the 'Scheduled Tasks' folder
2007-08-30 21:08:35 C:\WINDOWS\Tasks\BMMTask.job
2007-08-30 21:07:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 16:13:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 16:18:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-30 16:18

--- E O F ---


Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:53 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINDOWS\system32\IMWEBSTA.EXE
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.verizon.com/cgi-bin/getProxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.verizon.com:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe"
O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - S-1-5-19 Startup: Acrobat60.vbs (User 'LOCAL SERVICE')
O4 - S-1-5-18 Startup: Acrobat60.vbs (User 'SYSTEM')
O4 - .DEFAULT Startup: Acrobat60.vbs (User 'Default user')
O4 - .DEFAULT User Startup: Acrobat60.vbs (User 'Default user')
O4 - .DEFAULT User Startup: PowerFix.vbs (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.43/uploader2.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (Software Center) - http://us.dl1.yimg.com/download.yahoo.com/...ntr_current.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173826364247
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = its.verizon.com
O17 - HKLM\Software\..\Telephony: DomainName = its.verizon.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BA299BB-B8BE-47C1-866E-DA5656C1B2CE}: NameServer = 113.128.189.1,113.128.189.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = verizon.com,basit.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: PsShutdown (PsShutdownSvc) - Systems Internals - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\winvnc.exe

--
End of file - 9479 bytes

Thanks
Shankar

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 31 August 2007 - 05:06 AM

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users