Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud And Vundo


  • This topic is locked This topic is locked
12 replies to this topic

#1 chaitu

chaitu

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 18 September 2007 - 02:47 PM

Hi,
I have a problem of popups coming up every now and then, I regularly run Spybot Search and Destroy and Ad-Aware SE. But I am not able to eradicate the problem completely.

I have recently found a new problem. Whenever i start any application an error box pops up and says the following.

" The application or DLL C:\WINDOWS\system32\hadjajr.ini is not a valid Windows image. Please check this against your installation diskette. "

The message is the same message irrespective of the application that is started. I am also unable to remove smitfraud core services using spybot.


I have run the all the steps described in the preparation guide. I would paste the Hijack log and the Pandasoft active scan log.


Hijack this log
+++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:59 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O1 - Hosts: 69.25.74.36 MAIL006 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.37 MAIL007 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.38 BE008 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.39 BE009 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.40 BE010 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.41 BE011 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.42 BE012 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.43 BE013 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.44 BE014 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.75.222 BE015 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.46 BE016 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.47 BE017 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.48 BE018 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.49 BE019 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.50 BE020 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.51 BE021 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.52 BE022 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.53 BE023 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.54 BE024 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.55 BE025 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.56 BE026 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.57 BE027 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.58 BE028 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.199 BE029 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.200 BE030 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.201 BE031 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.202 BE032 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.203 BE033 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.204 BE034 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.205 BE035 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.206 BE036 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.207 BE037 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.208 BE038 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.209 BE039 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.210 BE040 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.211 BE041 #Exchange Hosting 12/27/06 07:01:02
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C15D78A-C4AB-4DCC-AE2B-EBCB82A877DE} - C:\WINDOWS\system32\opnnl.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\fqracqof.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe "/Trigger RunAtLogon"
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\hadjajr.ini
O20 - Winlogon Notify: opnnl - C:\WINDOWS\system32\opnnl.dll (file missing)
O20 - Winlogon Notify: wvutqoo - wvutqoo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 10645 bytes


Pandasoft Activescan Log

+++++++++++++++++++++++++++++++++++++++++++


Incident Status Location

Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UWA7P_0001_N91M0809NetInstaller.exe
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\The Nobodies\Application Data\Mozilla\Firefox\Profiles\vao6aygc.default\cookies.txt[.overture.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\The Nobodies\Cookies\the nobodies@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\The Nobodies\Cookies\the nobodies@azjmp[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\The Nobodies\Cookies\the nobodies@cgi-bin[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\The Nobodies\Cookies\the nobodies@cgi-bin[5].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\The Nobodies\Cookies\the nobodies@cgi-bin[9].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\The Nobodies\Cookies\the nobodies@www.burstbeacon[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\The Nobodies\Cookies\the nobodies@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\The Nobodies\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\The Nobodies\Desktop\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\The Nobodies\Desktop\VundoFix.exe[process.exe]
Virus:Trj/Clicker.AFN Disinfected C:\quarantine\explore.exe.Vir
Virus:Trj/Clicker.AFN Disinfected C:\quarantine\explore.exe.Vir.0
Virus:Trj/Clicker.AFN Disinfected C:\quarantine\explore.exe.Vir.1
Adware:Adware/TTC Not disinfected C:\WINDOWS\qwr67.exe[folder.js]
Adware:Adware/GoodSearchNow Not disinfected C:\WINDOWS\system32\drivers\core.sys
Adware:Adware/Zenosearch Not disinfected C:\WINDOWS\system32\nwinmndt.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe


Thank You

Chaitu

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 PM

Posted 23 September 2007 - 02:05 PM

Hi chaitu,


Welcome to the BleepingComputer Forums. :thumbsup:

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again!

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of the SmitfraudFix report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by SifuMike, 23 September 2007 - 02:06 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 chaitu

chaitu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 25 September 2007 - 07:44 PM

Sorry for the delayed response. Here is the Smitfraud report.


Chaitu

SmitFraudFix v2.230

Scan done at 17:40:08.74, Tue 09/25/2007
Run from C:\Documents and Settings\The Nobodies\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\The Nobodies\Application Data\SopCast\adv\SopAdver.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\hadjajr.ini FOUND !
C:\WINDOWS\system32\vtr???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\The Nobodies


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\The Nobodies\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\THENOB~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\hadjajr.ini"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: National Semiconductor Corp. DP83815/816 10/100 MacPhyter PCI Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{234662F6-542F-4D3B-AD3E-FE4A2FB1CD38}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{234662F6-542F-4D3B-AD3E-FE4A2FB1CD38}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{234662F6-542F-4D3B-AD3E-FE4A2FB1CD38}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 PM

Posted 25 September 2007 - 11:24 PM

Hello chaitu,

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 chaitu

chaitu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 26 September 2007 - 02:32 PM

Hi Sifumike
I ran smitfraud.exe twice, as it prompted me to do so. I am attaching the hijack this log and rapport.txt below.

+++++++++++++++++++++++++++++++++++++++++++++
Hijack This Log
+++++++++++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:51 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 69.25.74.36 MAIL006 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.37 MAIL007 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.38 BE008 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.39 BE009 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.40 BE010 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.41 BE011 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.42 BE012 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.43 BE013 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.44 BE014 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.75.222 BE015 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.46 BE016 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.47 BE017 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.48 BE018 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.49 BE019 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.50 BE020 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.51 BE021 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.52 BE022 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.53 BE023 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.54 BE024 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.55 BE025 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.56 BE026 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.57 BE027 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.58 BE028 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.199 BE029 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.200 BE030 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.201 BE031 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.202 BE032 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.203 BE033 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.204 BE034 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.205 BE035 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.206 BE036 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.207 BE037 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.208 BE038 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.209 BE039 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.210 BE040 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.211 BE041 #Exchange Hosting 12/27/06 07:01:02
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C15D78A-C4AB-4DCC-AE2B-EBCB82A877DE} - C:\WINDOWS\system32\opnnl.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\fqracqof.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe "/Trigger RunAtLogon"
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: opnnl - C:\WINDOWS\system32\opnnl.dll (file missing)
O20 - Winlogon Notify: wvutqoo - wvutqoo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 11011 bytes


+++++++++++++++++++++++++++++++++++++++++++
Rapport.txt Smitfraud text file
+++++++++++++++++++++++++++++++++++++++++++

SmitFraudFix v2.230

Scan done at 12:21:30.05, Wed 09/26/2007
Run from C:\Documents and Settings\The Nobodies\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
69.25.74.36 MAIL006 #Exchange Hosting 12/27/06 07:01:0269.25.74.37 MAIL007 #Exchange Hosting 12/27/06 07:01:0269.25.74.38 BE008 #Exchange Hosting 12/27/06 07:01:0269.25.74.39 BE009 #Exchange Hosting 12/27/06 07:01:0269.25.74.40 BE010 #Exchange Hosting 12/27/06 07:01:0269.25.74.41 BE011 #Exchange Hosting 12/27/06 07:01:0269.25.74.42 BE012 #Exchange Hosting 12/27/06 07:01:0269.25.74.43 BE013 #Exchange Hosting 12/27/06 07:01:0269.25.74.44 BE014 #Exchange Hosting 12/27/06 07:01:0269.25.75.222 BE015 #Exchange Hosting 12/27/06 07:01:0269.25.74.46 BE016 #Exchange Hosting 12/27/06 07:01:0269.25.74.47 BE017 #Exchange Hosting 12/27/06 07:01:0269.25.74.48 BE018 #Exchange Hosting 12/27/06 07:01:0269.25.74.49 BE019 #Exchange Hosting 12/27/06 07:01:0269.25.74.50 BE020 #Exchange Hosting 12/27/06 07:01:0269.25.74.51 BE021 #Exchange Hosting 12/27/06 07:01:0269.25.74.52 BE022 #Exchange Hosting 12/27/06 07:01:0269.25.74.53 BE023 #Exchange Hosting 12/27/06 07:01:0269.25.74.54 BE024 #Exchange Hosting 12/27/06 07:01:0269.25.74.55 BE025 #Exchange Hosting 12/27/06 07:01:0269.25.74.56 BE026 #Exchange Hosting 12/27/06 07:01:0269.25.74.57 BE027 #Exchange Hosting 12/27/06 07:01:0269.25.74.58 BE028 #Exchange Hosting 12/27/06 07:01:0264.95.72.199 BE029 #Exchange Hosting 12/27/06 07:01:0264.95.72.200 BE030 #Exchange Hosting 12/27/06 07:01:0264.95.72.201 BE031 #Exchange Hosting 12/27/06 07:01:0264.95.72.202 BE032 #Exchange Hosting 12/27/06 07:01:0264.95.72.203 BE033 #Exchange Hosting 12/27/06 07:01:0264.95.72.204 BE034 #Exchange Hosting 12/27/06 07:01:0264.95.72.205 BE035 #Exchange Hosting 12/27/06 07:01:0264.95.72.206 BE036 #Exchange Hosting 12/27/06 07:01:0264.95.72.207 BE037 #Exchange Hosting 12/27/06 07:01:0264.95.72.208 BE038 #Exchange Hosting 12/27/06 07:01:0264.95.72.209 BE039 #Exchange Hosting 12/27/06 07:01:0264.95.72.210 BE040 #Exchange Hosting 12/27/06 07:01:0264.95.72.211 BE041 #Exchange Hosting 12/27/06 07:01:02
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\Delete_Me_Dummy_hadjajr.ini Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8153ACAC-6C95-41D8-B144-C0CD8F2BD8E4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8153ACAC-6C95-41D8-B144-C0CD8F2BD8E4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8153ACAC-6C95-41D8-B144-C0CD8F2BD8E4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Thank You
Chaitu

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 PM

Posted 26 September 2007 - 07:43 PM

Hi chaitu,


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup

Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.


*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O1 - Hosts: 69.25.74.36 MAIL006 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.37 MAIL007 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.38 BE008 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.39 BE009 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.40 BE010 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.41 BE011 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.42 BE012 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.43 BE013 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.44 BE014 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.75.222 BE015 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.46 BE016 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.47 BE017 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.48 BE018 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.49 BE019 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.50 BE020 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.51 BE021 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.52 BE022 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.53 BE023 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.54 BE024 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.55 BE025 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.56 BE026 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.57 BE027 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 69.25.74.58 BE028 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.199 BE029 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.200 BE030 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.201 BE031 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.202 BE032 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.203 BE033 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.204 BE034 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.205 BE035 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.206 BE036 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.207 BE037 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.208 BE038 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.209 BE039 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.210 BE040 #Exchange Hosting 12/27/06 07:01:02
O1 - Hosts: 64.95.72.211 BE041 #Exchange Hosting 12/27/06 07:01:02
O2 - BHO: (no name) - {4C15D78A-C4AB-4DCC-AE2B-EBCB82A877DE} - C:\WINDOWS\system32\opnnl.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\fqracqof.dll (file missing)
O20 - Winlogon Notify: opnnl - C:\WINDOWS\system32\opnnl.dll (file missing)
O20 - Winlogon Notify: wvutqoo - wvutqoo.dll (file missing)


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section except for Start Menu Shortcuts and Menu Shortcuts.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot to your computer.

NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix  log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
 
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 chaitu

chaitu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 27 September 2007 - 04:05 AM

Hi Sifumike,


Here are the reports:

ComboFix Log
+++++++++++++++++++++++++++++

ComboFix 07-09-21.2 - "The Nobodies" 2007-09-27 1:47:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.342 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\poolsv
C:\Program Files\svhost
C:\temp\tn3
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\usrinit.exe
C:\WINDOWS\system32\win

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.

2007-09-27 01:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 01:15 <DIR> d-------- C:\Program Files\CCleaner
2007-09-25 23:29 <DIR> d-------- C:\Program Files\Dl_cats
2007-09-25 23:28 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-09-25 23:28 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-09-25 23:27 <DIR> d-------- C:\Program Files\Dell Photo AIO Printer 922
2007-09-25 23:26 <DIR> d-------- C:\Dell922
2007-09-25 23:07 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-25 23:07 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-22 10:34 <DIR> d-------- C:\DOCUME~1\THENOB~1\APPLIC~1\Help
2007-09-18 21:07 <DIR> d-------- C:\Program Files\iPod
2007-09-18 12:28 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-18 12:26 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Google
2007-09-18 12:19 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-09-18 12:19 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-09-18 12:19 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-09-18 12:19 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-09-18 12:19 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-09-18 12:19 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-09-18 12:19 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-09-18 12:19 <DIR> d-------- C:\Program Files\Sygate
2007-09-11 20:47 <DIR> d-------- C:\Program Files\Picasa2
2007-09-11 20:43 <DIR> d-------- C:\krovi
2007-09-09 12:19 <DIR> d-------- C:\Vinod
2007-09-05 18:11 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-09-05 18:11 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-05 18:10 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-05 18:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-09-04 22:39 49,867 --a------ C:\WINDOWS\system32\drivers\mardp2k.sys
2007-09-04 22:39 49,484 --a------ C:\WINDOWS\system32\drivers\mardpnp.sys
2007-09-04 22:39 49,399 --a------ C:\WINDOWS\system32\drivers\mamotou.sys
2007-09-04 22:39 24,789 --a------ C:\WINDOWS\system32\drivers\MaVctrl.sys
2007-09-04 22:39 11,473 --a------ C:\WINDOWS\system32\drivers\MaVc2K.sys
2007-09-04 20:39 68,096 --a------ C:\WINDOWS\system32\l3acdb2.dll
2007-09-02 23:11 109,568 --a------ C:\WINDOWS\system32\rt27.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 01:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-26 16:48 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-09-26 16:48 --------- d-------- C:\Program Files\iTunes
2007-09-26 16:48 --------- d-------- C:\Program Files\Google
2007-09-24 05:06 --------- d-------- C:\DOCUME~1\THENOB~1\APPLIC~1\SopCast
2007-09-24 05:02 --------- d-------- C:\Program Files\SopCast
2007-09-18 21:09 --------- d-------- C:\Program Files\Apple Software Update
2007-09-09 12:35 --------- d-------- C:\DOCUME~1\THENOB~1\APPLIC~1\Apple Computer
2007-09-05 18:14 --------- d-------- C:\Program Files\QuickTime
2007-08-17 11:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-17 11:08 --------- d-------- C:\Program Files\Yahoo!
2007-08-16 00:10 --------- d-------- C:\Program Files\PokerStars
2007-08-13 15:55 --------- d-------- C:\Program Files\Belkin
2007-08-07 11:50 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-07 11:50 --------- d-------- C:\Program Files\Veoh Networks
2006-10-16 23:42 56912 --a------ C:\DOCUME~1\THENOB~1\g2mdlhlpx.exe
2006-10-08 09:33:18 56 --sh--r C:\WINDOWS\system32\62C5BBBE17.sys
2006-10-08 09:33:18 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 15:35 C:\WINDOWS\system32\carpserv.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 14:10]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 15:06]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-14 17:29]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-10-05 18:28]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 06:26]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-03-13 08:11]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 08:45]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 17:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"GoToMeeting"="C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe" [2007-07-20 22:13]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^The Nobodies^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\The Nobodies\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^The Nobodies^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\The Nobodies\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
rundll32.exe "C:\WINDOWS\system32\gvtvkdds.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atwtusb]
atwtusb.exe beta

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\nwinmndt.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]
"C:\DOCUME~1\THENOB~1\LOCALS~1\Temp\WinAntiVirusPro2007FreeInstall.exe" -nag

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B6-6E-EE-E0-ZN}]
c:\windows\system32\mldsregm.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLTRYSVC"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.SYS
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S1 aiptektp;Pen Pad;C:\WINDOWS\system32\DRIVERS\aiptektp.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
S3 mamotou;mamotou;C:\WINDOWS\system32\DRIVERS\mamotou.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 W8335XP;eHome Wireless 802.11g/b Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\MRV8335XP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bd66ebb-eea7-11db-bf95-000f20cb68be}]
AutoRun\command- H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{859cc817-a0de-11db-bf68-000f20cb68be}]
AutoRun\command- H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{859cc818-a0de-11db-bf68-000f20cb68be}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af9310ea-5593-11db-bf1d-000f20cb68be}]
AutoRun\command- .\Recycled\Driveinfo.exe
Open\Command- .\Recycled\Driveinfo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e19a69c6-7733-11db-bf37-000f20cb68be}]
AutoRun\command- G:\.\Recycled\Driveinfo.exe
Open\Command- G:\.\Recycled\Driveinfo.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-24 13:48:34 C:\WINDOWS\Tasks\07 New York.job"
- E:\Music\A R Rahaman\Unknown Album\07 New York.mp3
"2007-09-26 00:07:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 01:53:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????2?4?0?9??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-27 1:55:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-27 01:55
.
--- E O F ---



Hijack This Log
++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:28 AM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe "/Trigger RunAtLogon"
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7956 bytes



Thank You
Chaitu

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 PM

Posted 27 September 2007 - 10:34 AM

Hi chaitu,

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:
C:\WINDOWS\system32\l3acdb2.dll


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:
C:\WINDOWS\system32\rt27.exe


Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 chaitu

chaitu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 27 September 2007 - 12:16 PM

Hi Sifumike,

here are the results


Antivirus Version Last Update Result
AhnLab-V32007.9.28.0 2007.09.27 -
AntiVir 7.6.0.15 2007.09.27 TR/Peed.IBB.7
Authentium 4.93.8 2007.09.27 -
Avast 4.7.1043.0 2007.09.26 -
AVG 7.5.0.488 2007.09.27 Adware Generic2.OYN
BitDefender 7.2 2007.09.27 Trojan.Bho.Agent.Q
CAT-QuickHeal 9.00 2007.09.27 AdWare.BHO.cw (Not a Virus)
ClamAV 0.91.2 2007.09.26 -
DrWeb 4.33 2007.09.27 -
eSafe 7.0.15.0 2007.09.23 -
eTrust-Vet 31.2.5168 2007.09.27 -
Ewido 4.0 2007.09.27 -
FileAdvisor 1 2007.09.27 -
Fortinet 3.11.0.0 2007.09.27 -
F-Prot 4.3.2.48 2007.09.26 -
F-Secure 6.70.13030.02007.09.27 -
Ikarus T3.1.1.12 2007.09.27 Trojan-Downloader.Win32.Delf.AEO
Kaspersky 7.0.0.125 2007.09.27 not-a-virus:AdWare.Win32.BHO.cw
McAfee 5129 2007.09.27 -
Microsoft 1.2803 2007.09.27 Trojan:Win32/Adclicker.AH
NOD32v2 2554 2007.09.26 -
Norman 5.80.02 2007.09.27 W32/BHO.ABR
Panda 9.0.0.4 2007.09.27 Suspicious file
Prevx1 V2 2007.09.27 -
Rising 19.42.32.00 2007.09.27 -
Sophos 4.21.0 2007.09.27 -
Sunbelt 2.2.907.0 2007.09.26 AdWare.Win32.BHO.cw
Symantec 10 2007.09.27 Trojan.Adclicker
TheHacker 6.2.6.072 2007.09.27 -
VBA32 3.12.2.4 2007.09.26 AdWare.Win32.BHO.cw
VirusBuster 4.3.26:9 2007.09.27 -
Webwasher-Gateway 6.0.1 2007.09.27 Trojan.Peed.IBB.7

Additional information
File size: 68096 bytes
MD5: f624bba67b92d2a68402a608d3e3c13b
SHA1: a4ef8d3a17434efa1b65737d263aace78f2194a0
packers: UPX
packers: UPX
packers: UPX
packers: UPX



File rt27.exe received on 09.27.2007 19:07:31 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.9.28.0 2007.09.27 Dropper/Xema.109568.C
AntiVir 7.6.0.15 2007.09.27 TR/Crypt.XDR.Gen
Authentium 4.93.8 2007.09.27 W32/Trojan.CCGE
Avast 4.7.1043.0 2007.09.26 -
AVG 7.5.0.488 2007.09.27 Delf.BJF
BitDefender 7.2 2007.09.27 Trojan.Bho.Agent.Q
CAT-QuickHeal 9.00 2007.09.27 TrojanDropper.Delf.agw
ClamAV 0.91.2 2007.09.26 -
DrWeb 4.33 2007.09.27 Trojan.DownLoader.30343
eSafe 7.0.15.0 2007.09.23 Suspicious Trojan/Worm
eTrust-Vet 31.2.5168 2007.09.27 -
Ewido 4.0 2007.09.27 -
FileAdvisor 1 2007.09.27 -
Fortinet 3.11.0.0 2007.09.27 -
F-Prot 4.3.2.48 2007.09.26 W32/Trojan.CCGE
F-Secure 6.70.13030.0 2007.09.27 Trojan-Dropper.Win32.Delf.agw
Ikarus T3.1.1.12 2007.09.27 Trojan-Dropper.Win32.Delf.agw
Kaspersky 7.0.0.125 2007.09.27 Trojan-Dropper.Win32.Delf.agw
McAfee 5129 2007.09.27 -
Microsoft 1.2803 2007.09.27 -
NOD32v2 2554 2007.09.26 -
Norman 5.80.02 2007.09.27 W32/BHO.ABR.dropper
Panda 9.0.0.4 2007.09.27 Trj/Downloader.MDW
Prevx1 V2 2007.09.27 Malware.Gen
Rising 19.42.32.00 2007.09.27 -
Sophos 4.21.0 2007.09.27 -
Sunbelt 2.2.907.0 2007.09.26 AdWare.Win32.BHO.cw
Symantec 10 2007.09.27 Trojan.Adclicker
TheHacker 6.2.6.072 2007.09.27 -
VBA32 3.12.2.4 2007.09.26 AdWare.Win32.BHO.cw
VirusBuster 4.3.26:9 2007.09.27 -
Webwasher-Gateway 6.0.1 2007.09.27 Trojan.Crypt.XDR.Gen


Additional information
File size: 109568 bytes
MD5: 42bbaa9571ff70ab67d5bad270243c6f
SHA1: 7240c506d72b0d3aadbac439d8eb267d152b07b4
norman sandbox: [ General information ]&lt;br /&gt; * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.&lt;br /&gt; * File length: 109568 bytes.&lt;br /&gt;&lt;br /&gt; [ Changes to filesystem ]&lt;br /&gt; * Creates file C:\WINDOWS\system32\l3acdb2.dll.&lt;br /&gt;&lt;br /&gt; [ Signature Scanning ]&lt;br /&gt; * C:\WINDOWS\system32\l3acdb2.dll (68096 bytes) : W32/BHO.ABR.&lt;br /&gt;&lt;br /&gt;
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...E79B800786608AA


thank you
chaitu

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 PM

Posted 27 September 2007 - 01:47 PM

Hi chaitu,


Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\l3acdb2.dll
C:\WINDOWS\system32\rt27.exe

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af9310ea-5593-11db-bf1d-000f20cb68be}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e19a69c6-7733-11db-bf37-000f20cb68be}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{859cc818-a0de-11db-bf68-000f20cb68be}]



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 chaitu

chaitu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 27 September 2007 - 02:56 PM

Here are the reports


Combofix.txt
++++++++++++++++++++++++++++++

ComboFix 07-09-21.2 - "The Nobodies" 2007-09-27 12:45:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.318 [GMT -7:00]
Command switches used :: C:\Documents and Settings\The Nobodies\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\l3acdb2.dll
C:\WINDOWS\system32\rt27.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\l3acdb2.dll
C:\WINDOWS\system32\rt27.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.

2007-09-27 01:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 01:15 <DIR> d-------- C:\Program Files\CCleaner
2007-09-25 23:29 <DIR> d-------- C:\Program Files\Dl_cats
2007-09-25 23:28 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-09-25 23:28 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-09-25 23:27 <DIR> d-------- C:\Program Files\Dell Photo AIO Printer 922
2007-09-25 23:26 <DIR> d-------- C:\Dell922
2007-09-25 23:07 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-25 23:07 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-22 10:34 <DIR> d-------- C:\DOCUME~1\THENOB~1\APPLIC~1\Help
2007-09-18 21:07 <DIR> d-------- C:\Program Files\iPod
2007-09-18 12:28 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-18 12:26 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Google
2007-09-18 12:19 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-09-18 12:19 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-09-18 12:19 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-09-18 12:19 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-09-18 12:19 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-09-18 12:19 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-09-18 12:19 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-09-18 12:19 <DIR> d-------- C:\Program Files\Sygate
2007-09-11 20:47 <DIR> d-------- C:\Program Files\Picasa2
2007-09-11 20:43 <DIR> d-------- C:\krovi
2007-09-09 12:19 <DIR> d-------- C:\Vinod
2007-09-05 18:11 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-09-05 18:11 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-05 18:10 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-05 18:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-09-04 22:39 49,867 --a------ C:\WINDOWS\system32\drivers\mardp2k.sys
2007-09-04 22:39 49,484 --a------ C:\WINDOWS\system32\drivers\mardpnp.sys
2007-09-04 22:39 49,399 --a------ C:\WINDOWS\system32\drivers\mamotou.sys
2007-09-04 22:39 24,789 --a------ C:\WINDOWS\system32\drivers\MaVctrl.sys
2007-09-04 22:39 11,473 --a------ C:\WINDOWS\system32\drivers\MaVc2K.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 02:41 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-09-27 02:41 --------- d-------- C:\Program Files\iTunes
2007-09-27 02:40 --------- d-------- C:\Program Files\Google
2007-09-27 02:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-24 05:06 --------- d-------- C:\DOCUME~1\THENOB~1\APPLIC~1\SopCast
2007-09-24 05:02 --------- d-------- C:\Program Files\SopCast
2007-09-18 21:09 --------- d-------- C:\Program Files\Apple Software Update
2007-09-09 12:35 --------- d-------- C:\DOCUME~1\THENOB~1\APPLIC~1\Apple Computer
2007-09-05 18:14 --------- d-------- C:\Program Files\QuickTime
2007-08-17 11:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-17 11:08 --------- d-------- C:\Program Files\Yahoo!
2007-08-16 00:10 --------- d-------- C:\Program Files\PokerStars
2007-08-13 15:55 --------- d-------- C:\Program Files\Belkin
2007-08-07 11:50 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-07 11:50 --------- d-------- C:\Program Files\Veoh Networks
2006-10-16 23:42 56912 --a------ C:\DOCUME~1\THENOB~1\g2mdlhlpx.exe
2006-10-08 09:33:18 56 --sh--r C:\WINDOWS\system32\62C5BBBE17.sys
2006-10-08 09:33:18 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-27_ 15501.88 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 228,506 2007-09-27 19:49:59 C:\WINDOWS\system32\inetsrv\MetaBase.bin
----atw 16,384 2007-09-27 19:50:00 C:\WINDOWS\Temp\Perflib_Perfdata_4c0.dat
.
----a-w 228,510 2007-09-27 08:52:58 C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 15:35 C:\WINDOWS\system32\carpserv.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 14:10]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 15:06]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-14 17:29]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-10-05 18:28]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 06:26]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-03-13 08:11]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 08:45]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 17:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"GoToMeeting"="C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe" [2007-07-20 22:13]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^The Nobodies^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\The Nobodies\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^The Nobodies^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\The Nobodies\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atwtusb]
atwtusb.exe beta

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\nwinmndt.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]
"C:\DOCUME~1\THENOB~1\LOCALS~1\Temp\WinAntiVirusPro2007FreeInstall.exe" -nag

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B6-6E-EE-E0-ZN}]
c:\windows\system32\mldsregm.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLTRYSVC"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.SYS
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S1 aiptektp;Pen Pad;C:\WINDOWS\system32\DRIVERS\aiptektp.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
S3 mamotou;mamotou;C:\WINDOWS\system32\DRIVERS\mamotou.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 W8335XP;eHome Wireless 802.11g/b Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\MRV8335XP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bd66ebb-eea7-11db-bf95-000f20cb68be}]
AutoRun\command- H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{859cc817-a0de-11db-bf68-000f20cb68be}]
AutoRun\command- H:\LaunchU3.exe -a

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2007-09-24 13:48:34 C:\WINDOWS\Tasks\07 New York.job"
- E:\Music\A R Rahaman\Unknown Album\07 New York.mp3
"2007-09-26 00:07:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 12:50:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????2?4?0?9??`???? ???B???????????????B? ??????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-27 12:54:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-27 12:53
C:\ComboFix2.txt ... 2007-09-27 02:01
C:\ComboFix3.txt ... 2007-09-27 01:55
.
--- E O F ---


Hijack this log
++++++++++++++++++++++++++++++


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:13 PM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe "/Trigger RunAtLogon"
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7990 bytes


Thank You
Chaitu

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 PM

Posted 27 September 2007 - 04:19 PM

Hello chaitu,

Your log looks clean! Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 PM

Posted 29 September 2007 - 09:36 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users