Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Need Your Help In Removing Webcry Here Is My Hijackthis Log


  • Please log in to reply
38 replies to this topic

#1 Jack_smith_07

Jack_smith_07

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 14 February 2008 - 10:12 AM

Hi Richie,

my problem is same as with all webcry infected computers

infact i am posting the problem as descrbed by a member, i dont want to repeat to tell what webcry do but still here it is as you are a expert :thumbsup:

SYPTOMS: slow performance, google searches when clicked are re-directed to some WebCry or IP-looking servers promoting privacy software, constant infection with win32:ctx, adgen.... virus, trojan, adware; sometimes it puts its own image as a desktop wallpaper liking to a random privacy software page.

Secondly major problem is i am not able to access internet after this virus installed in my computer. I am using some other computer right now.

thanks for your help


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:16 PM, on 14/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\NetProject\scm.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\SkyTel.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\ZyXEL\MAX-100 Series\ZyXELMAX100SeriesUtility.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: e404 helper - {C03FD59D-9104-44B7-929A-9EAA0BA05211} - C:\Program Files\Helper\1202936938.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BHR3] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
O4 - HKLM\..\Run: [Spy Watcher] "C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" -S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: ZyXEL MAX-100 Series Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe

--
End of file - 10593 bytes

BC AdBot (Login to Remove)

 


#2 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 14 February 2008 - 10:29 AM

Anytakers, till Richie replies seems Richie is busy :thumbsup:

#3 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 14 February 2008 - 12:35 PM

Here is SAS log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/14/2008 at 10:33 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Quick Scan
Total Scan Time : 00:21:37

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 944
Registry threats detected : 3
File items scanned : 15046
File threats detected : 2

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Malware.SpyLocked
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#UninstallString
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/14/2008 at 10:33 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Quick Scan
Total Scan Time : 00:21:37

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 944
Registry threats detected : 3
File items scanned : 15046
File threats detected : 2

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Malware.SpyLocked
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#UninstallString
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/14/2008 at 10:33 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Quick Scan
Total Scan Time : 00:21:37

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 944
Registry threats detected : 3
File items scanned : 15046
File threats detected : 2

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Malware.SpyLocked
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#UninstallString

#4 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 14 February 2008 - 12:37 PM

here is hijack this log after running SAS and SmitFraudFix (in safe mode)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:55 PM, on 14/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SkyTel.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ZyXEL\MAX-100 Series\ZyXELMAX100SeriesUtility.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BHR3] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
O4 - HKLM\..\Run: [Spy Watcher] "C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" -S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: ZyXEL MAX-100 Series Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe

--
End of file - 9859 bytes

#5 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 14 February 2008 - 12:45 PM

here is smitfraudfix rapport.txt file

SmitFraudFix v2.288

Scan done at 23:12:19.34, 14/02/2008
Run from C:\Documents and Settings\admin\Desktop\atvr\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0CE45231-DD96-4B38-B12C-B4B4A486739D}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0CE45231-DD96-4B38-B12C-B4B4A486739D}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0CE45231-DD96-4B38-B12C-B4B4A486739D}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#6 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 14 February 2008 - 12:57 PM

Guys I am still not able to access any website on IE7 or on mozilla firefox, i thought that some virus corrupted my dns server program, but if i ping to any website I can ping and receive replies, but none of the sites open in IE or firefox

I think the webcry thing is gone after running SAS

tnx for help.




here is dns fix and repair report generated by smitfraudfix tool (option no 5)





SmitFraudFix v2.288

Scan done at 22:58:37.56, 14/02/2008
Run from C:\Documents and Settings\admin\Desktop\atvr\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

DNS Before Fix

Description: Intel® 82566MC Gigabit Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 80.58.61.250
DNS Server Search Order: 80.58.61.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0CE45231-DD96-4B38-B12C-B4B4A486739D}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0CE45231-DD96-4B38-B12C-B4B4A486739D}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0CE45231-DD96-4B38-B12C-B4B4A486739D}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254

DNS After Fix

Description: Intel® 82566MC Gigabit Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 80.58.61.250
DNS Server Search Order: 80.58.61.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0CE45231-DD96-4B38-B12C-B4B4A486739D}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0CE45231-DD96-4B38-B12C-B4B4A486739D}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0CE45231-DD96-4B38-B12C-B4B4A486739D}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254

#7 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 15 February 2008 - 04:01 AM

Any Takers on this :thumbsup:

#8 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 15 February 2008 - 04:26 AM

Still no takers :thumbsup:

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 15 February 2008 - 05:13 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Jack_smith_07
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Do not run it just yet.

Now please go here and follow the instructions to install the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#10 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 15 February 2008 - 05:42 AM

tnx for response i will do that

#11 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 15 February 2008 - 06:21 AM

hi ......thanks.....here are the combofix logs

ComboFix 08-02-15.2 - admin 2008-02-15 16:42:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1556 [GMT 5.5:30]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\iperf\Desktop_.ini
C:\WINDOWS\system32\DB037D75E7.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 23:47 . 2008-02-14 23:47 <DIR> d-------- C:\Program Files\Opera
2008-02-14 22:46 . 2008-02-14 23:12 4,500 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-14 22:02 . 2008-02-15 14:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 22:02 . 2008-02-14 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 22:02 . 2008-02-14 22:02 <DIR> d-------- C:\Documents and Settings\admin\Application Data\SUPERAntiSpyware.com
2008-02-14 17:32 . 2008-02-14 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2008-02-14 17:22 . 2008-02-14 23:32 <DIR> d-------- C:\Program Files\Spy Cleaner Gold
2008-02-14 17:22 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-02-14 17:19 . 2008-02-14 17:19 <DIR> d-------- C:\Program Files\Zamaan's Software
2008-02-14 16:59 . 2008-02-14 16:59 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-14 16:58 . 2008-02-14 16:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-14 14:59 . 2008-02-14 14:59 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-14 14:59 . 2007-12-04 18:34 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-14 14:59 . 2004-01-09 14:43 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-14 14:59 . 2007-12-04 18:24 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-14 14:59 . 2007-12-04 20:25 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-14 14:59 . 2007-12-04 20:26 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-14 14:59 . 2007-12-04 20:21 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-14 14:59 . 2007-12-04 20:19 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-14 14:59 . 2007-12-04 20:23 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-14 06:02 . 2008-02-14 15:06 <DIR> d-------- C:\Program Files\Mobiola Web Camera
2008-02-14 03:59 . 2008-02-14 04:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-14 03:00 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-14 03:00 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-14 03:00 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-14 02:42 . 2008-02-14 02:50 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-12 22:42 . 2008-02-12 22:45 <DIR> d-------- C:\Beceem
2008-02-12 22:42 . 2008-01-25 15:26 206,336 --a------ C:\WINDOWS\system32\drivers\drxvi315.sys
2008-02-09 20:14 . 2008-02-09 20:14 <DIR> d-------- C:\WINDOWS\Sun
2008-02-08 15:57 . 2008-02-08 15:57 <DIR> d-------- C:\Program Files\ZyXEL
2008-02-08 15:57 . 2001-09-05 20:00 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-08 15:57 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2008-02-08 15:57 . 2007-02-08 16:23 14,592 --a------ C:\WINDOWS\system32\drivers\ZyXMAX100.sys
2008-02-07 07:29 . 2008-02-07 07:36 11 --a------ C:\WINDOWS\OSA.INI
2008-02-03 21:54 . 2008-02-03 21:55 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-03 20:32 . 2008-02-03 20:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-02 15:44 . 2007-12-07 07:51 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-02 15:44 . 2007-07-01 09:01 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-02 15:44 . 2007-07-01 09:06 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-02 15:44 . 2007-12-07 07:51 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-02 15:44 . 2007-12-07 07:51 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-02 15:44 . 2007-12-07 07:51 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-02 15:44 . 2007-12-07 07:51 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-02 15:44 . 2007-12-07 07:51 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-02 15:44 . 2007-12-06 16:30 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-02 15:40 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-02 10:35 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-02-02 10:35 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-01-29 06:46 . 2008-01-29 06:46 1,921,136 --a------ C:\WINDOWS\dbplugin.ocx
2008-01-29 06:46 . 2008-01-29 06:46 778,240 --a------ C:\WINDOWS\npdbplug.dll
2008-01-29 06:46 . 2008-01-29 06:46 627,200 --a------ C:\WINDOWS\dtaplugin.exe
2008-01-29 06:46 . 2008-01-29 06:46 597,504 --a------ C:\WINDOWS\dbplugin.exe
2008-01-29 06:46 . 2008-01-29 06:46 348,160 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-01-29 06:46 . 2008-01-29 06:46 40,960 --a------ C:\WINDOWS\dbrmdwb.exe
2008-01-29 06:46 . 2008-01-29 06:46 601 --a------ C:\WINDOWS\npdbplug.xpt
2008-01-22 11:57 . 2008-01-22 11:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-18 19:30 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-18 19:30 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-17 23:00 . 2008-02-13 18:15 4,194,371 --a------ C:\WINDOWS\pfirewall.log.old
2008-01-17 18:32 . 2006-10-05 08:12 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-17 18:32 . 2006-10-05 08:12 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-17 18:30 . 2008-01-17 18:32 <DIR> d-------- C:\Program Files\Picasa2
2008-01-16 06:35 . 2004-08-03 23:10 25,600 --a------ C:\WINDOWS\system32\drivers\hidbth.sys
2008-01-16 06:35 . 2004-08-03 23:10 25,600 --a--c--- C:\WINDOWS\system32\dllcache\hidbth.sys
2008-01-16 06:35 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-16 06:35 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-16 06:35 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-16 06:35 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-16 06:29 . 2004-08-03 23:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2008-01-16 06:29 . 2004-08-03 23:10 38,016 --a--c--- C:\WINDOWS\system32\dllcache\bthmodem.sys
2008-01-16 06:06 . 2004-05-26 15:52 49,152 --a------ C:\WINDOWS\system32\TosBthSupport.dll
2008-01-15 01:14 . 2008-02-10 21:16 <DIR> d-------- C:\malaga

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 08:57 --------- d-----w C:\Documents and Settings\admin\Application Data\AVG7
2008-02-14 16:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-13 21:41 --------- d-----w C:\Program Files\Norton 360
2008-02-12 17:50 152 ----a-w C:\WINDOWS\system32\drivers\macxvi.cfg
2008-02-12 17:12 673,610 ----a-w C:\WINDOWS\unins001.exe
2008-02-08 10:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 05:01 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-02 05:01 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-02 05:01 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-02 05:01 --------- d-----w C:\Program Files\Symantec
2008-02-02 04:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-25 10:01 1,655,000 ----a-w C:\WINDOWS\system32\drivers\macxvi200.bin
2008-01-25 09:56 25,600 ----a-w C:\WINDOWS\system32\drivers\BeceemPHS.sys
2008-01-22 06:25 --------- d-----w C:\Documents and Settings\admin\Application Data\AdobeUM
2008-01-16 00:36 --------- d-----w C:\Program Files\Toshiba
2008-01-16 00:20 --------- d-----w C:\Documents and Settings\admin\Application Data\toshiba
2008-01-15 17:03 --------- d-----w C:\Program Files\Google
2008-01-14 15:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-14 15:22 --------- d-----w C:\Program Files\Yahoo!
2008-01-14 14:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-13 23:08 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-11 03:31 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-01-11 03:31 --------- d-----w C:\Program Files\Cisco Systems
2007-12-26 06:27 --------- d-----w C:\Program Files\SolarWinds
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 02:48 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-04-25 06:39 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 16:58 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 20:10 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 05:20 88204 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2006-04-25 08:24 315392 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2006-04-25 08:24 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"ThpSrv"="thpsrv /logon" []
"TFNF5"="TFNF5.exe" [2006-04-10 15:44 622592 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 04:43 122880]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 23:24 57344 C:\WINDOWS\system32\TOSDCR.exe]
"NDSTray.exe"="NDSTray.exe" []
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-18 00:12 49152]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-05-22 17:50 122940]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 11:23 16207360 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-04-24 12:50 1448960 C:\WINDOWS\SkyTel.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41 602182]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2005-06-28 20:43 126976]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 17:36 30208]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-05 13:52 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-05 13:52 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-05 13:52 138008]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 11:29 115816]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-14 20:12 579072]
"CFSServ.exe"="CFSServ.exe" []
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 17:30 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 01:33 36975]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 18:30 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-14 20:12 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth Monitor.lnk - C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2008-01-16 06:06:42 65536]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2008-01-11 09:02:00 1528880]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-05-14 02:07:39 155648]
ZyXEL MAX-100 Series Utility.lnk - C:\Program Files\ZyXEL\MAX-100 Series\ZyXELMAX100SeriesUtility.exe [2008-02-08 15:57:39 847872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"status"= present

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2006-05-05 17:48 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BHR3]
--a------ 2005-07-12 04:00 5918720 C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-28 12:01]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-14 00:54]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 18:00]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 17:59]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2006-05-05 17:33]
R3 BeceemPHS;BeceemPHS;C:\WINDOWS\system32\DRIVERS\BeceemPHS.sys [2008-01-25 15:26]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 10:56]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2006-05-05 17:43]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 15:18]
S3 BeceemNdisCardBus;Tarang;C:\WINDOWS\system32\DRIVERS\drxvi315.sys [2008-01-25 15:26]
S3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys [2006-11-01 18:45]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys [2001-08-17 17:43]
S3 MAX100;ZyXEL MAX100 IEEE 802.16e WiMAX Driver (PCMCIA);C:\WINDOWS\system32\DRIVERS\ZyXMAX100.sys [2007-02-08 16:23]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 23:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15b0a3dd-7a31-11dc-b634-001b7772d5bf}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2146d3e8-c4f5-11dc-b673-00037ac78323}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b26f1b3c-7eeb-11dc-b63c-001b7772d5bf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b26f1b3d-7eeb-11dc-b63c-001b7772d5bf}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3ca42b0-7e3d-11dc-b63a-001b7772d5bf}]
\Shell\Auto\command - E:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 16:46:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-02-15 16:47:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 11:17:29
.
2008-02-14 11:29:48 --- E O F ---
ComboFix 08-02-15.2 - admin 2008-02-15 16:42:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1556 [GMT 5.5:30]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\iperf\Desktop_.ini
C:\WINDOWS\system32\DB037D75E7.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 23:47 . 2008-02-14 23:47 <DIR> d-------- C:\Program Files\Opera
2008-02-14 22:46 . 2008-02-14 23:12 4,500 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-14 22:02 . 2008-02-15 14:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 22:02 . 2008-02-14 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 22:02 . 2008-02-14 22:02 <DIR> d-------- C:\Documents and Settings\admin\Application Data\SUPERAntiSpyware.com
2008-02-14 17:32 . 2008-02-14 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2008-02-14 17:22 . 2008-02-14 23:32 <DIR> d-------- C:\Program Files\Spy Cleaner Gold
2008-02-14 17:22 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-02-14 17:19 . 2008-02-14 17:19 <DIR> d-------- C:\Program Files\Zamaan's Software
2008-02-14 16:59 . 2008-02-14 16:59 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-14 16:58 . 2008-02-14 16:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-14 14:59 . 2008-02-14 14:59 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-14 14:59 . 2007-12-04 18:34 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-14 14:59 . 2004-01-09 14:43 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-14 14:59 . 2007-12-04 18:24 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-14 14:59 . 2007-12-04 20:25 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-14 14:59 . 2007-12-04 20:26 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-14 14:59 . 2007-12-04 20:21 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-14 14:59 . 2007-12-04 20:19 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-14 14:59 . 2007-12-04 20:23 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-14 06:02 . 2008-02-14 15:06 <DIR> d-------- C:\Program Files\Mobiola Web Camera
2008-02-14 03:59 . 2008-02-14 04:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-14 03:00 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-14 03:00 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-14 03:00 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-14 02:42 . 2008-02-14 02:50 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-12 22:42 . 2008-02-12 22:45 <DIR> d-------- C:\Beceem
2008-02-12 22:42 . 2008-01-25 15:26 206,336 --a------ C:\WINDOWS\system32\drivers\drxvi315.sys
2008-02-09 20:14 . 2008-02-09 20:14 <DIR> d-------- C:\WINDOWS\Sun
2008-02-08 15:57 . 2008-02-08 15:57 <DIR> d-------- C:\Program Files\ZyXEL
2008-02-08 15:57 . 2001-09-05 20:00 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-08 15:57 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2008-02-08 15:57 . 2007-02-08 16:23 14,592 --a------ C:\WINDOWS\system32\drivers\ZyXMAX100.sys
2008-02-07 07:29 . 2008-02-07 07:36 11 --a------ C:\WINDOWS\OSA.INI
2008-02-03 21:54 . 2008-02-03 21:55 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-03 20:32 . 2008-02-03 20:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-02 15:44 . 2007-12-07 07:51 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-02 15:44 . 2007-07-01 09:01 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-02 15:44 . 2007-07-01 09:06 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-02 15:44 . 2007-12-07 07:51 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-02 15:44 . 2007-12-07 07:51 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-02 15:44 . 2007-12-07 07:51 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-02 15:44 . 2007-12-07 07:51 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-02 15:44 . 2007-12-07 07:51 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-02 15:44 . 2007-12-06 16:30 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-02 15:40 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-02 10:35 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-02-02 10:35 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-01-29 06:46 . 2008-01-29 06:46 1,921,136 --a------ C:\WINDOWS\dbplugin.ocx
2008-01-29 06:46 . 2008-01-29 06:46 778,240 --a------ C:\WINDOWS\npdbplug.dll
2008-01-29 06:46 . 2008-01-29 06:46 627,200 --a------ C:\WINDOWS\dtaplugin.exe
2008-01-29 06:46 . 2008-01-29 06:46 597,504 --a------ C:\WINDOWS\dbplugin.exe
2008-01-29 06:46 . 2008-01-29 06:46 348,160 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-01-29 06:46 . 2008-01-29 06:46 40,960 --a------ C:\WINDOWS\dbrmdwb.exe
2008-01-29 06:46 . 2008-01-29 06:46 601 --a------ C:\WINDOWS\npdbplug.xpt
2008-01-22 11:57 . 2008-01-22 11:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-18 19:30 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-18 19:30 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-17 23:00 . 2008-02-13 18:15 4,194,371 --a------ C:\WINDOWS\pfirewall.log.old
2008-01-17 18:32 . 2006-10-05 08:12 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-17 18:32 . 2006-10-05 08:12 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-17 18:30 . 2008-01-17 18:32 <DIR> d-------- C:\Program Files\Picasa2
2008-01-16 06:35 . 2004-08-03 23:10 25,600 --a------ C:\WINDOWS\system32\drivers\hidbth.sys
2008-01-16 06:35 . 2004-08-03 23:10 25,600 --a--c--- C:\WINDOWS\system32\dllcache\hidbth.sys
2008-01-16 06:35 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-16 06:35 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-16 06:35 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-16 06:35 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-16 06:29 . 2004-08-03 23:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2008-01-16 06:29 . 2004-08-03 23:10 38,016 --a--c--- C:\WINDOWS\system32\dllcache\bthmodem.sys
2008-01-16 06:06 . 2004-05-26 15:52 49,152 --a------ C:\WINDOWS\system32\TosBthSupport.dll
2008-01-15 01:14 . 2008-02-10 21:16 <DIR> d-------- C:\malaga

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 08:57 --------- d-----w C:\Documents and Settings\admin\Application Data\AVG7
2008-02-14 16:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-13 21:41 --------- d-----w C:\Program Files\Norton 360
2008-02-12 17:50 152 ----a-w C:\WINDOWS\system32\drivers\macxvi.cfg
2008-02-12 17:12 673,610 ----a-w C:\WINDOWS\unins001.exe
2008-02-08 10:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 05:01 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-02 05:01 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-02 05:01 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-02 05:01 --------- d-----w C:\Program Files\Symantec
2008-02-02 04:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-25 10:01 1,655,000 ----a-w C:\WINDOWS\system32\drivers\macxvi200.bin
2008-01-25 09:56 25,600 ----a-w C:\WINDOWS\system32\drivers\BeceemPHS.sys
2008-01-22 06:25 --------- d-----w C:\Documents and Settings\admin\Application Data\AdobeUM
2008-01-16 00:36 --------- d-----w C:\Program Files\Toshiba
2008-01-16 00:20 --------- d-----w C:\Documents and Settings\admin\Application Data\toshiba
2008-01-15 17:03 --------- d-----w C:\Program Files\Google
2008-01-14 15:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-14 15:22 --------- d-----w C:\Program Files\Yahoo!
2008-01-14 14:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-13 23:08 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-11 03:31 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-01-11 03:31 --------- d-----w C:\Program Files\Cisco Systems
2007-12-26 06:27 --------- d-----w C:\Program Files\SolarWinds
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 02:48 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-04-25 06:39 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 16:58 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 20:10 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 05:20 88204 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2006-04-25 08:24 315392 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2006-04-25 08:24 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"ThpSrv"="thpsrv /logon" []
"TFNF5"="TFNF5.exe" [2006-04-10 15:44 622592 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 04:43 122880]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 23:24 57344 C:\WINDOWS\system32\TOSDCR.exe]
"NDSTray.exe"="NDSTray.exe" []
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-18 00:12 49152]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-05-22 17:50 122940]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 11:23 16207360 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-04-24 12:50 1448960 C:\WINDOWS\SkyTel.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41 602182]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2005-06-28 20:43 126976]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 17:36 30208]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-05 13:52 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-05 13:52 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-05 13:52 138008]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 11:29 115816]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-14 20:12 579072]
"CFSServ.exe"="CFSServ.exe" []
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 17:30 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 01:33 36975]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 18:30 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-14 20:12 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth Monitor.lnk - C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2008-01-16 06:06:42 65536]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2008-01-11 09:02:00 1528880]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-05-14 02:07:39 155648]
ZyXEL MAX-100 Series Utility.lnk - C:\Program Files\ZyXEL\MAX-100 Series\ZyXELMAX100SeriesUtility.exe [2008-02-08 15:57:39 847872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"status"= present

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2006-05-05 17:48 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BHR3]
--a------ 2005-07-12 04:00 5918720 C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-28 12:01]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-14 00:54]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 18:00]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 17:59]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2006-05-05 17:33]
R3 BeceemPHS;BeceemPHS;C:\WINDOWS\system32\DRIVERS\BeceemPHS.sys [2008-01-25 15:26]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 10:56]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2006-05-05 17:43]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 15:18]
S3 BeceemNdisCardBus;Tarang;C:\WINDOWS\system32\DRIVERS\drxvi315.sys [2008-01-25 15:26]
S3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys [2006-11-01 18:45]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys [2001-08-17 17:43]
S3 MAX100;ZyXEL MAX100 IEEE 802.16e WiMAX Driver (PCMCIA);C:\WINDOWS\system32\DRIVERS\ZyXMAX100.sys [2007-02-08 16:23]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 23:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15b0a3dd-7a31-11dc-b634-001b7772d5bf}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2146d3e8-c4f5-11dc-b673-00037ac78323}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b26f1b3c-7eeb-11dc-b63c-001b7772d5bf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b26f1b3d-7eeb-11dc-b63c-001b7772d5bf}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3ca42b0-7e3d-11dc-b63a-001b7772d5bf}]
\Shell\Auto\command - E:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 16:46:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-02-15 16:47:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 11:17:29
.
2008-02-14 11:29:48 --- E O F ---

#12 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 15 February 2008 - 06:23 AM

new hijack this log after running combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:52 PM, on 15/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SkyTel.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\ZyXEL\MAX-100 Series\ZyXELMAX100SeriesUtility.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: ZyXEL MAX-100 Series Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe

--
End of file - 8775 bytes


Hi Richie ...pls suggest what next..?

#13 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 15 February 2008 - 06:31 AM

I am still not able to access any website on IE or firefox. :thumbsup: My ping to www.google.com is working fine

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 15 February 2008 - 07:37 AM

I am still not able to access any website on IE or firefox.

Download and run WinSock XP Fix:
http://www.snapfiles.com/get/winsockxpfix.html

If still no joy try this:
Click on Start/Run,type CMD then press Ok.
At the command prompt copy and paste NETSH WINSOCK RESET then press Enter.
At the command prompt copy and paste IPCONFIG /FLUSHDNS then press Enter.
At the command prompt copy and paste NETSH WINSOCK RESET CATALOG then press Enter.
Type EXIT press Enter again,restart your pc.
Now try connecting to the internet.

If your still not able to connect to the net,try this:
Download to your desktop TCPIP_Fix.exe,a self-extracting ZIP archive.
Double-click Tcpip_Fix.exe to create a new folder on your desktop,Tcpip_Fix.
Open the new folder and double-click Tcpip_fix.cmd to replace tcpip.sys file with a new copy.
Reboot your computer.


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

Copy and paste ALL the following text in the code box below into Notepad.
Click on Start/All Programs/Accessories/Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the information into the registry,then restart your pc.
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2146d3e8-c4f5-11dc-b673-00037ac78323}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"status"=-

Please download Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/

Disconnect from the internet.
Click Start/Control Panel/Add or Remove Programs and remove the following programs,then restart your pc:
Avast4
AVG7


Now install Avira AntiVir Personal Edition Classic[Free] and perform a full system scan,allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.


I now need you to do the following if you're now able to:
First enable the viewing of hidden files and folders,reverse the process once you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\drivers\macxvi.cfg
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\drivers\macxvi.cfg
Then click on 'Send File'.
Post the results into your next reply.

Then do exactly the same with the following file:
C:\WINDOWS\system32\drivers\macxvi200.bin
Post all the results into your next reply please.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#15 Jack_smith_07

Jack_smith_07
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 15 February 2008 - 08:19 AM

thanks I will try this, btw the following file macxvi.cfg is my driver software for wimax pcmcia card, i guess its not infected, or infact if you are suspecting this as a virus, to my best knowledge this file i copy myself every time i upgrade my pcmcia driver.

tnx

Edited by Jack_smith_07, 15 February 2008 - 08:23 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users