Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spyware - Laptop Running Slow - Seems To Ntos.exe


  • This topic is locked This topic is locked
45 replies to this topic

#1 asaha

asaha

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 26 March 2008 - 09:07 PM

Hi,

My laptop is running very slow, rebooting automatically. Tried fixing using different spyware/malware removal tools - AVG, MBM, Spyware Doctor etc. Pasting the HJT log below. Any help will be highly appreciated.

----------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:06 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\SYSROOT\System32\smss.exe
C:\SYSROOT\system32\winlogon.exe
C:\SYSROOT\system32\services.exe
C:\SYSROOT\system32\lsass.exe
C:\SYSROOT\system32\svchost.exe
C:\SYSROOT\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\SYSROOT\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\SYSROOT\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\SYSROOT\SYSTEM32\Userinit.exe,C:\Documents and Settings\arijit_saha\Application Data\ntos.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\SYSROOT\system32\taskswitch.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\SYSROOT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ntuser] C:\SYSROOT\system32\drivers\spools.exe
O4 - HKCU\..\Run: [userinit] C:\Documents and Settings\arijit_saha\Application Data\ntos.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\SYSROOT\system32\Macromed\Flash\FlashUtil9d.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\picasa\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\picasa\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\SYSROOT\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\npjpi150_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\npjpi150_13.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://connectibdplus.gs.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C42D410-5192-46A6-896B-2BDD6778216D}: NameServer = 85.255.116.162,85.255.112.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F6F317B-DC3A-4135-9896-5B45E69C401F}: NameServer = 85.255.116.162,85.255.112.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{59FABDE9-C94D-42F1-888A-21FD413CDB3A}: NameServer = 85.255.116.162,85.255.112.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{705D4D9F-AA69-40D3-AFAE-440B61EAB445}: NameServer = 85.255.116.162,85.255.112.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{D11F6C17-FB53-478B-BCEB-A2BFE8268A1A}: NameServer = 85.255.116.162,85.255.112.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEFCB20C-AAC9-4943-9294-5E929353D230}: NameServer = 85.255.116.162,85.255.112.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{F67C3D82-A424-4CEC-AD65-14280F466E72}: NameServer = 85.255.116.162,85.255.112.110
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.110
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: JKhfj3ofgfgdtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\SYSROOT\system32\CTsvcCDA.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\SYSROOT\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDispChg Service (IDispChgService) - Unknown owner - C:\SYSROOT\system32\IDispChg.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Schedule - Unknown owner - C:\SYSROOT\system32\drivers\spools.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Distributed Link Tracking Client TrkWksSENS (TrkWksSENS) - Unknown owner - C:\SYSROOT\system32\pokd437.exe (file missing)

--
End of file - 9883 bytes

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:13 AM

Posted 29 March 2008 - 04:22 PM

Hi asaha and welcome to Bleeping Computer.
I will be handling your log and helping you to get cleaned up.

Please take note of the following:

1. Please do not make any system changes yet. as any changes you make may well alter your log.
2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
4. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Starbuck

BBPP6nz.png


#3 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:13 AM

Posted 30 March 2008 - 05:36 PM

Hi asaha

One of the infections you have is really nasty:
ntos.exe is a 'backdoor/keylooger'.

Can communicate with other computer systems using HTTP protocols
Makes outbound connections to other computers using NETBIOSOUT protocols

In other words, It may well have stolen your passwords.... We have no way of telling.

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

For more information read ....Here
If you choose to format and reinstall read...... Here

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again.

If for any reason you decide to carry on with trying to fix these infections, i will add the 1st part of the fix to save you time.
But like i say, it's entirely up to you if you want to continue.

Step 1
Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.
Step 2
Please download FixWareout from one of these mirrors:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it..... allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

In your next reply, please submit: (ONLY IF YOU WANT TO CARRY ON WITH THIS FIX)
Report.txt from SDFix
Report.txt from FixWareout.
and a new Hjt log.

Thanks.

BBPP6nz.png


#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:09:13 PM

Posted 07 April 2008 - 09:39 AM

Due to the lack of feedback, this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:09:13 PM

Posted 13 April 2008 - 07:30 PM

User returned.
Please post all the requested logs please and starbuck will be back with you as soon as he can

#6 asaha

asaha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 13 April 2008 - 11:15 PM

Thank you for helping me out on getting this fixed and my apologies for the delayed response. Following are the logs
--------------------------------------------------------------------------------------------------------------
SDFix
---------------------------------------------------------------------------------------------------------------

SDFix: Version 1.170
Run by Arijit_Saha on Sun 04/13/2008 at 08:37 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :

Name:
agehhtd
Google Online Search Service

Path:
\??\C:\SYSROOT\inf\agehhtd.cat
C:\SYSROOT\system32\winlagan.exe -A

agehhtd - Deleted
Google Online Search Service - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default Schedule Service Path

Rebooting

Service NdisWon - Deleted
Service Qhw45 - Deleted

Checking Files :


--------------------------------------------------------------------------------------------------------------
FixWareOut
---------------------------------------------------------------------------------------------------------------

Username "Arijit_Saha" - 04/13/2008 21:38:25 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe"
"TFNF5"="TFNF5.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_13\\bin\\jusched.exe\""
"RegistryMechanic"=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"Verizon_McciTrayApp"="C:\\Program Files\\Verizon\\McciTrayApp.exe"
"VerizonServicepoint.exe"="\"C:\\Program Files\\Verizon\\VSP\\VerizonServicepoint.exe\" /AUTORUN"
"CanonSolutionMenu"="C:\\Program Files\\Canon\\SolutionMenu\\CNSLMAIN.exe /logon"
"CanonMyPrinter"="C:\\Program Files\\Canon\\MyPrinter\\BJMyPrt.exe /logon"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"OpwareSE4"="\"C:\\Program Files\\ScanSoft\\OmniPageSE4\\OpwareSE4.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\SYSROOT\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"autoload"="C:\\Documents and Settings\\arijit_saha\\Local Settings\\Application Data\\cftmon.exe"
"Firewall auto setup"="C:\\DOCUME~1\\ARIJIT~1\\LOCALS~1\\Temp\\winlogon.exe"
"jkdfj94kgdftdf"="C:\\SYSROOT\\TEMP\\winlogan.exe"
"Jnskdfmf9eldfd"="C:\\DOCUME~1\\ARIJIT~1\\LOCALS~1\\Temp\\csrssc.exe"
"userinit"="C:\\Documents and Settings\\arijit_saha\\Application Data\\ntos.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

--------------------------------------------------------------------------------------------------------------
HJT
---------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:49 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\SYSROOT\System32\smss.exe
C:\SYSROOT\system32\winlogon.exe
C:\SYSROOT\system32\services.exe
C:\SYSROOT\system32\lsass.exe
C:\SYSROOT\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\SYSROOT\system32\svchost.exe
C:\SYSROOT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\SYSROOT\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\SYSROOT\system32\IDispChg.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\SYSROOT\system32\svchost.exe
C:\SYSROOT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\SYSROOT\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\SYSROOT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\SYSROOT\system32\notepad.exe
C:\SYSROOT\system32\TFNF5.exe
C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\SYSROOT\system32\ctfmon.exe
C:\SYSROOT\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\SYSROOT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\SYSROOT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\picasa\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\picasa\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\SYSROOT\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\npjpi150_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\npjpi150_13.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://connectibdplus.gs.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\SYSROOT\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: IDispChg Service (IDispChgService) - Unknown owner - C:\SYSROOT\system32\IDispChg.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Distributed Link Tracking Client TrkWksSENS (TrkWksSENS) - Unknown owner - C:\SYSROOT\system32\pokd437.exe (file missing)

--
End of file - 8385 bytes

#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:13 AM

Posted 14 April 2008 - 04:15 PM

Hi asaha

That's got a little bit of it.... but there's plenty more to do.

Step 1
Please disable AVG AntiSpyware Guard, it can interfere with our fixes.

* Launch AVG Anti-Spyware.
* From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
* Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".

Step 2
You have a bad program on your system.
Click on start... settings... control panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following if they exist: ( it may not be there, if not... don't worry )

ShoppingReport

Step 3
Run Hijackthis again, click scan, and Put a checkmark next to each of these items.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll

This line:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Corresponds to Administrative lock down for changing the options or homepage in Internet explorer.
If you did not knowingly set this, you can remove the line as well.

Then close all other windows, browers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Reboot your computer to complete the process.

Step 4
Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

Note: Do not mouseclick combofix's window while its running. This may cause it to stall

When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply.

In your next reply, please submit:
ComboFix.txt
and a new Hjt log.

Thanks.

BBPP6nz.png


#8 asaha

asaha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 15 April 2008 - 08:10 PM

Hi Starbuck,

I executed the steps you mentioned. However in Step 2 I was not able to remove ShoppingReport through Add Remove Program. It seems Combofix finaly removed it.

Following are the logs


ComboFix 08-04-14.2 - Arijit_Saha 2008-04-15 0:59:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT -4:00]
Running from: C:\Documents and Settings\arijit_saha\Desktop\ComboFix.exe
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\arijit_saha\Application Data\wsnpoem
C:\Documents and Settings\arijit_saha\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\arijit_saha\Application Data\wsnpoem\audio.dll.cla
C:\Documents and Settings\arijit_saha\Application Data\wsnpoem\video.dll
C:\Documents and Settings\CCD\Application Data\wsnpoem
C:\Documents and Settings\CCD\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\CCD\Application Data\wsnpoem\video.dll
C:\ntldr.sys
C:\Program Files\3721
C:\Program Files\Accoona
C:\Program Files\Helper
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1189307536.old
C:\Program Files\WinBudget\bin\matrix.dll
C:\SYSROOT\spredirect.dll
C:\SYSROOT\system32\acespy
C:\SYSROOT\system32\drivers\grande48.sys
C:\SYSROOT\system32\ssqopmk.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-15 03:02 . 2008-04-15 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-13 21:00 . 2007-07-30 19:18 34,136 --a------ C:\SYSROOT\system32\wucltui.dll.mui
2008-04-13 21:00 . 2007-07-30 19:19 25,944 --a------ C:\SYSROOT\system32\wuaucpl.cpl.mui
2008-04-13 21:00 . 2007-07-30 19:19 25,944 --a------ C:\SYSROOT\system32\wuapi.dll.mui
2008-04-13 21:00 . 2007-07-30 19:18 20,312 --a------ C:\SYSROOT\system32\wuaueng.dll.mui
2008-04-13 20:53 . 2008-04-13 22:00 <DIR> d-------- C:\fixwareout
2008-04-13 20:34 . 2008-04-13 20:34 <DIR> d-------- C:\SYSROOT\ERUNT
2008-04-13 20:33 . 2008-04-13 20:33 <DIR> d-------- C:\SDFix
2008-03-23 16:54 . 2008-03-23 16:54 <DIR> d-------- C:\Documents and Settings\CCD\Application Data\Grisoft
2008-03-23 16:18 . 2008-03-23 16:18 <DIR> d-------- C:\Documents and Settings\arijit_saha\Application Data\Grisoft
2008-03-23 16:18 . 2008-03-23 16:18 <DIR> d-------- C:\Documents and Settings\All Users.SYSROOT\Application Data\Grisoft
2008-03-23 16:18 . 2007-05-30 08:10 10,872 --a------ C:\SYSROOT\system32\drivers\AvgAsCln.sys
2008-03-23 13:29 . 2008-03-23 13:29 <DIR> d-------- C:\Documents and Settings\CCD\Application Data\Motive
2008-03-23 12:29 . 2008-03-23 12:29 44 --a------ C:\p2hhr.bat
2008-03-23 12:28 . 2008-03-23 12:28 10,000 --a------ C:\SYSROOT\system32\JFIEHAYD.DLL.0.AVB
2008-03-23 12:27 . 2008-03-23 14:57 44,544 --a------ C:\wqcltxk.exe
2008-03-23 12:26 . 2008-03-23 12:26 58,368 --a------ C:\jehebe.exe
2008-03-23 12:26 . 2008-03-23 14:57 32,256 --a------ C:\SYSROOT\system32\pokd446.exe
2008-03-23 12:25 . 2008-03-23 14:57 12,800 --a------ C:\SYSROOT\system32\pokd468.exe
2008-03-23 12:23 . 2008-03-23 14:57 238,856 --a------ C:\SYSROOT\system32\pokd451.exe
2008-03-23 12:23 . 2008-03-23 14:57 12,800 --a------ C:\SYSROOT\system32\pokd463.exe
2008-03-23 12:22 . 2008-03-23 14:57 143,360 --a------ C:\SYSROOT\system32\pokd406.exe
2008-03-23 12:22 . 2008-03-23 14:57 6,144 --a------ C:\SYSROOT\system32\pokd888.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 05:22 --------- d-----w C:\Program Files\Yahoo!
2008-04-14 05:22 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\Yahoo
2008-04-14 05:19 --------- d-----w C:\Program Files\Audible
2008-04-14 04:47 --------- d-----w C:\Program Files\Google
2008-04-14 04:36 --------- d-----w C:\Documents and Settings\arijit_saha\Application Data\Move Networks
2008-04-14 04:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 02:15 --------- d-----w C:\Program Files\Common Files\Real
2008-04-14 01:55 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\yahoo!
2008-04-14 01:51 --------- d-----w C:\Program Files\Creative
2008-04-14 01:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-14 01:22 --------- d---a-w C:\Documents and Settings\All Users.SYSROOT\Application Data\TEMP
2008-03-11 03:25 --------- d-----w C:\Program Files\Trend Micro
2008-03-11 02:24 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\McAfee
2008-03-06 03:43 --------- d-----w C:\Documents and Settings\CCD\Application Data\Malwarebytes
2008-03-06 03:31 3,584 ----a-w C:\qxab.exe
2008-03-06 03:22 --------- d-----w C:\Documents and Settings\arijit_saha\Application Data\Malwarebytes
2008-03-06 03:22 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\Malwarebytes
2008-03-04 13:25 58,368 ----a-w C:\tlmnmae.exe
2008-03-04 04:52 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\TVU Networks
2007-09-04 01:30 284 ----a-w C:\Documents and Settings\arijit_saha\Application Data\ViewerApp.dat
2007-01-31 01:15 9,452,296 ----a-w C:\Program Files\yahoo_bejeweled2_tm1-1.exe
2004-08-03 19:26 976,384 ----a-r C:\Documents and Settings\CCD\Application Data\ntos.exe
2004-08-03 19:26 1,220,096 ------w C:\Documents and Settings\arijit_saha\Application Data\ntos.exe


--------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:49, on 2008-04-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\SYSROOT\System32\smss.exe
C:\SYSROOT\system32\winlogon.exe
C:\SYSROOT\system32\services.exe
C:\SYSROOT\system32\lsass.exe
C:\SYSROOT\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\SYSROOT\system32\svchost.exe
C:\SYSROOT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\SYSROOT\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\SYSROOT\system32\IDispChg.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\SYSROOT\system32\svchost.exe
C:\SYSROOT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\SYSROOT\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\SYSROOT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\SYSROOT\system32\wuauclt.exe
C:\SYSROOT\system32\TFNF5.exe
C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\SYSROOT\system32\ctfmon.exe
C:\SYSROOT\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\SYSROOT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\SYSROOT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\picasa\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\picasa\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\SYSROOT\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\npjpi150_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\npjpi150_13.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://connectibdplus.gs.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\SYSROOT\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: IDispChg Service (IDispChgService) - Unknown owner - C:\SYSROOT\system32\IDispChg.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Distributed Link Tracking Client TrkWksSENS (TrkWksSENS) - Unknown owner - C:\SYSROOT\system32\pokd437.exe (file missing)

--
End of file - 7726 bytes


Thanks
asaha

#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:13 AM

Posted 16 April 2008 - 09:12 AM

Hi asaha
It appears that the combofix.txt was cut off.
I need to see the 'Reg Loading Points' etc, can you please post the combofix.txt again so that i have the complete report.
You should be able to find the report at:
C:\ComboFix.txt

Thanks.

BBPP6nz.png


#10 asaha

asaha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 17 April 2008 - 08:02 PM

Hi Starbuck,

Actually I copy pasted it from C:\ComboFix.txt as the log didn't open automatically even though I waited for 6-7 hours. Does this mean that ComboFix didn't run properly :thumbsup: ? Do I need to run it again?

I am attaching the file once again.

Thanks
Arijit

Attached Files



#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:13 AM

Posted 18 April 2008 - 12:00 PM

Hi asaha

Do I need to run it again?

Yes please. Let's see what happens this time around.

BBPP6nz.png


#12 asaha

asaha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 21 April 2008 - 12:34 AM

Hi Starbuck,

Here is the complete ComboFix log and HJT log

ComboFix 08-04-14.2 - Arijit_Saha 2008-04-20 22:06:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.149 [GMT -4:00]
Running from: C:\Documents and Settings\arijit_saha\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\arijit_saha\Application Data\wsnpoem
C:\Documents and Settings\arijit_saha\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\arijit_saha\Application Data\wsnpoem\audio.dll.cla
C:\Documents and Settings\arijit_saha\Application Data\wsnpoem\video.dll
C:\Documents and Settings\CCD\Application Data\wsnpoem
C:\Documents and Settings\CCD\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\CCD\Application Data\wsnpoem\video.dll
C:\ntldr.sys
C:\Program Files\3721
C:\Program Files\Accoona
C:\Program Files\Helper
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1189307536.old
C:\Program Files\WinBudget\bin\matrix.dll
C:\SYSROOT\spredirect.dll
C:\SYSROOT\system32\acespy
C:\SYSROOT\system32\drivers\grande48.sys
C:\SYSROOT\system32\ssqopmk.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-15 21:53 . 2008-03-01 09:06 6,066,176 -----c--- C:\SYSROOT\system32\dllcache\ieframe.dll
2008-04-15 21:53 . 2007-06-30 23:31 2,455,488 -----c--- C:\SYSROOT\system32\dllcache\ieapfltr.dat
2008-04-15 21:53 . 2007-06-30 23:36 991,232 -----c--- C:\SYSROOT\system32\dllcache\ieframe.dll.mui
2008-04-15 21:53 . 2008-03-01 09:06 459,264 -----c--- C:\SYSROOT\system32\dllcache\msfeeds.dll
2008-04-15 21:53 . 2008-03-01 09:06 383,488 -----c--- C:\SYSROOT\system32\dllcache\ieapfltr.dll
2008-04-15 21:53 . 2008-03-01 09:06 267,776 -----c--- C:\SYSROOT\system32\dllcache\iertutil.dll
2008-04-15 21:53 . 2008-03-01 09:06 63,488 -----c--- C:\SYSROOT\system32\dllcache\icardie.dll
2008-04-15 21:53 . 2008-03-01 09:06 52,224 -----c--- C:\SYSROOT\system32\dllcache\msfeedsbs.dll
2008-04-15 21:53 . 2008-02-22 06:00 13,824 -----c--- C:\SYSROOT\system32\dllcache\ieudinit.exe
2008-04-15 21:24 . 2008-04-15 21:24 118 --a------ C:\SYSROOT\system32\MRT.INI
2008-04-15 03:02 . 2008-04-15 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-13 21:00 . 2007-07-30 19:18 34,136 --a------ C:\SYSROOT\system32\wucltui.dll.mui
2008-04-13 21:00 . 2007-07-30 19:19 25,944 --a------ C:\SYSROOT\system32\wuaucpl.cpl.mui
2008-04-13 21:00 . 2007-07-30 19:19 25,944 --a------ C:\SYSROOT\system32\wuapi.dll.mui
2008-04-13 21:00 . 2007-07-30 19:18 20,312 --a------ C:\SYSROOT\system32\wuaueng.dll.mui
2008-04-13 20:53 . 2008-04-13 22:00 <DIR> d-------- C:\fixwareout
2008-04-13 20:34 . 2008-04-13 20:34 <DIR> d-------- C:\SYSROOT\ERUNT
2008-04-13 20:33 . 2008-04-13 20:33 <DIR> d-------- C:\SDFix
2008-03-23 16:54 . 2008-03-23 16:54 <DIR> d-------- C:\Documents and Settings\CCD\Application Data\Grisoft
2008-03-23 16:18 . 2008-03-23 16:18 <DIR> d-------- C:\Documents and Settings\arijit_saha\Application Data\Grisoft
2008-03-23 16:18 . 2008-03-23 16:18 <DIR> d-------- C:\Documents and Settings\All Users.SYSROOT\Application Data\Grisoft
2008-03-23 16:18 . 2007-05-30 08:10 10,872 --a------ C:\SYSROOT\system32\drivers\AvgAsCln.sys
2008-03-23 13:29 . 2008-03-23 13:29 <DIR> d-------- C:\Documents and Settings\CCD\Application Data\Motive
2008-03-23 12:29 . 2008-03-23 12:29 44 --a------ C:\p2hhr.bat
2008-03-23 12:28 . 2008-03-23 12:28 10,000 --a------ C:\SYSROOT\system32\JFIEHAYD.DLL.0.AVB
2008-03-23 12:27 . 2008-03-23 14:57 44,544 --a------ C:\wqcltxk.exe
2008-03-23 12:26 . 2008-03-23 12:26 58,368 --a------ C:\jehebe.exe
2008-03-23 12:26 . 2008-03-23 14:57 32,256 --a------ C:\SYSROOT\system32\pokd446.exe
2008-03-23 12:25 . 2008-03-23 14:57 12,800 --a------ C:\SYSROOT\system32\pokd468.exe
2008-03-23 12:23 . 2008-03-23 14:57 238,856 --a------ C:\SYSROOT\system32\pokd451.exe
2008-03-23 12:23 . 2008-03-23 14:57 12,800 --a------ C:\SYSROOT\system32\pokd463.exe
2008-03-23 12:22 . 2008-03-23 14:57 143,360 --a------ C:\SYSROOT\system32\pokd406.exe
2008-03-23 12:22 . 2008-03-23 14:57 6,144 --a------ C:\SYSROOT\system32\pokd888.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 05:22 --------- d-----w C:\Program Files\Yahoo!
2008-04-14 05:22 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\Yahoo
2008-04-14 05:19 --------- d-----w C:\Program Files\Audible
2008-04-14 04:47 --------- d-----w C:\Program Files\Google
2008-04-14 04:36 --------- d-----w C:\Documents and Settings\arijit_saha\Application Data\Move Networks
2008-04-14 04:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 02:15 --------- d-----w C:\Program Files\Common Files\Real
2008-04-14 01:55 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\yahoo!
2008-04-14 01:51 --------- d-----w C:\Program Files\Creative
2008-04-14 01:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-14 01:22 --------- d---a-w C:\Documents and Settings\All Users.SYSROOT\Application Data\TEMP
2008-03-23 18:57 84,816 ----a-w C:\SYSROOT\system32\pokd414.exe
2008-03-23 18:57 59,904 ----a-w C:\SYSROOT\system32\pokd407.exe
2008-03-23 18:57 256,052 ----a-w C:\SYSROOT\system32\pokd314.exe
2008-03-23 18:57 22,528 ----a-w C:\SYSROOT\system32\pokd275.exe
2008-03-23 18:57 17,920 ----a-w C:\SYSROOT\system32\pokd374.exe
2008-03-19 09:47 1,845,248 ----a-w C:\SYSROOT\system32\win32k.sys
2008-03-11 03:25 --------- d-----w C:\Program Files\Trend Micro
2008-03-11 02:24 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\McAfee
2008-03-06 03:43 --------- d-----w C:\Documents and Settings\CCD\Application Data\Malwarebytes
2008-03-06 03:31 81,408 ----a-w C:\SYSROOT\system32\kdrvy.exe
2008-03-06 03:31 3,584 ----a-w C:\qxab.exe
2008-03-06 03:28 38,400 --sh--r C:\SYSROOT\system32\1033r.exe
2008-03-06 03:22 --------- d-----w C:\Documents and Settings\arijit_saha\Application Data\Malwarebytes
2008-03-06 03:22 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\Malwarebytes
2008-03-04 13:25 58,368 ----a-w C:\tlmnmae.exe
2008-03-04 13:18 3,217 ----a-w C:\SYSROOT\system32\winlagan.exe
2008-03-04 04:52 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\TVU Networks
2008-03-01 13:06 826,368 ----a-w C:\SYSROOT\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\SYSROOT\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\SYSROOT\system32\dnsrslvr.dll
2008-01-30 21:10 274,432 ----a-w C:\SYSROOT\system32\libcurl.dll
2007-09-04 01:30 284 ----a-w C:\Documents and Settings\arijit_saha\Application Data\ViewerApp.dat
2007-01-31 01:15 9,452,296 ----a-w C:\Program Files\yahoo_bejeweled2_tm1-1.exe
2004-08-03 19:26 1,220,096 ------w C:\Documents and Settings\arijit_saha\Application Data\ntos.exe
2007-07-15 07:41 80 --sh--r C:\SYSROOT\system32\3F4A937388.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\SYSROOT\system32\ctfmon.exe" [2004-08-03 15:26 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe" [2001-06-23 10:58 24576 C:\SYSROOT\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [2004-06-28 00:52 73728 C:\SYSROOT\system32\TFNF5.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe" [2007-09-25 22:23 75256]
"RegistryMechanic"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-05 10:44 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 19:52 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 16:20 2061816]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 21:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 21:50 1603152]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 10:03 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 13:02 79400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="D:\picasa\Picasa2\PicasaMediaDetector.exe" [ ]

C:\Documents and Settings\blrkeclxxxxxadm\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 04:36:14 59080]

C:\Documents and Settings\All Users.SYSROOT\Start Menu\Programs\Startup\
RAMASST.lnk - C:\SYSROOT\system32\RAMASST.exe [2006-03-22 08:41:56 155648]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-03-22 07:37:37 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-06-19 03:31 24669 C:\SYSROOT\system32\ckpNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\SYSROOT\\system32\\dpvsetup.exe"=
"C:\\SYSROOT\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\SYSROOT\\system32\\sessmgr.exe"=
"C:\\SYSROOT\\system32\\rundll32.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\SYSROOT\system32\DRIVERS\thpdrv.sys [2004-11-30 12:19]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\SYSROOT\system32\DRIVERS\Thpevm.SYS [2004-11-13 02:54]
R2 CcmExec;SMS Agent Host;C:\SYSROOT\system32\CCM\CcmExec.exe [2004-08-03 17:35]
R2 CP_OMDRV;Check Point Office Mode Module;C:\SYSROOT\system32\drivers\omdrv.sys [2005-06-19 03:31]
R2 IDispChgService;IDispChg Service;C:\SYSROOT\system32\IDispChg.exe [2004-03-30 09:13]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 12:20]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\SYSROOT\system32\DRIVERS\vnasc.sys [2005-06-19 03:30]
R2 VPN-1;VPN-1 Module;C:\SYSROOT\system32\drivers\vpn.sys [2005-06-19 03:30]
R3 FW1;SecuRemote Miniport;C:\SYSROOT\system32\DRIVERS\fw.sys [2005-06-19 03:30]
S2 TrkWksSENS;Distributed Link Tracking Client TrkWksSENS;C:\SYSROOT\system32\pokd437.exe []
S3 hamachi_oem;PlayLinc Adapter;C:\SYSROOT\system32\DRIVERS\gan_adapter.sys [2006-09-27 17:12]
S3 prepdrvr;SMS Process Event Driver;C:\SYSROOT\system32\CCM\prepdrv.sys [2004-06-26 17:20]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 00:55:40 C:\SYSROOT\Tasks\At1.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-02 14:00:00 C:\SYSROOT\Tasks\At10.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-02 15:00:00 C:\SYSROOT\Tasks\At11.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-02 16:00:00 C:\SYSROOT\Tasks\At12.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-02 17:00:00 C:\SYSROOT\Tasks\At13.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-02 18:00:00 C:\SYSROOT\Tasks\At14.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-02 19:00:00 C:\SYSROOT\Tasks\At15.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-02 20:00:00 C:\SYSROOT\Tasks\At16.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-02 21:00:00 C:\SYSROOT\Tasks\At17.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-02 22:00:00 C:\SYSROOT\Tasks\At18.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-02 23:00:00 C:\SYSROOT\Tasks\At19.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-15 05:01:54 C:\SYSROOT\Tasks\At2.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-03 00:00:00 C:\SYSROOT\Tasks\At20.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-03-03 01:00:00 C:\SYSROOT\Tasks\At21.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-21 01:00:00 C:\SYSROOT\Tasks\At22.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-21 02:00:00 C:\SYSROOT\Tasks\At23.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-21 03:01:26 C:\SYSROOT\Tasks\At24.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-15 06:00:00 C:\SYSROOT\Tasks\At3.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-15 07:00:00 C:\SYSROOT\Tasks\At4.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-15 08:00:00 C:\SYSROOT\Tasks\At5.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-15 09:00:00 C:\SYSROOT\Tasks\At6.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-15 10:00:00 C:\SYSROOT\Tasks\At7.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-15 11:00:00 C:\SYSROOT\Tasks\At8.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
"2008-04-15 12:00:00 C:\SYSROOT\Tasks\At9.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 23:15:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-20 23:16:34
ComboFix-quarantined-files.txt 2008-04-21 03:16:30

Pre-Run: 13,228,974,080 bytes free
Post-Run: 13,219,008,512 bytes free
.
2008-04-16 01:56:25 --- E O F ---









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:40, on 2008-04-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\SYSROOT\System32\smss.exe
C:\SYSROOT\system32\winlogon.exe
C:\SYSROOT\system32\services.exe
C:\SYSROOT\system32\lsass.exe
C:\SYSROOT\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\SYSROOT\system32\svchost.exe
C:\SYSROOT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\SYSROOT\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\SYSROOT\system32\IDispChg.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\SYSROOT\system32\svchost.exe
C:\SYSROOT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\SYSROOT\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\SYSROOT\system32\TFNF5.exe
C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\SYSROOT\system32\ctfmon.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\SYSROOT\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\SYSROOT\explorer.exe
C:\SYSROOT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\SYSROOT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-21-1343024091-746137067-2146872243-1003\..\Run: [ctfmon.exe] C:\SYSROOT\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\picasa\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\picasa\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\SYSROOT\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\npjpi150_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\npjpi150_13.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\SYSROOT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\SYSROOT\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://connectibdplus.gs.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\SYSROOT\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: IDispChg Service (IDispChgService) - Unknown owner - C:\SYSROOT\system32\IDispChg.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Distributed Link Tracking Client TrkWksSENS (TrkWksSENS) - Unknown owner - C:\SYSROOT\system32\pokd437.exe (file missing)

--
End of file - 8176 bytes

#13 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:13 AM

Posted 22 April 2008 - 12:02 PM

Hi asaha

Even more work this time i'm afraid.

Step 1
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step 2
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
File::
C:\p2hhr.bat
C:\SYSROOT\system32\JFIEHAYD.DLL.0.AVB
C:\wqcltxk.exe
C:\jehebe.exe
C:\SYSROOT\system32\pokd446.exe
C:\SYSROOT\system32\pokd468.exe
C:\SYSROOT\system32\pokd451.exe
C:\SYSROOT\system32\pokd463.exe
C:\SYSROOT\system32\pokd406.exe
C:\SYSROOT\system32\pokd888.exe
C:\SYSROOT\system32\pokd414.exe
C:\SYSROOT\system32\pokd407.exe
C:\SYSROOT\system32\pokd314.exe
C:\SYSROOT\system32\pokd275.exe
C:\SYSROOT\system32\pokd374.exe
C:\SYSROOT\system32\kdrvy.exe
C:\qxab.exe
C:\SYSROOT\system32\1033r.exe
C:\tlmnmae.exe
C:\SYSROOT\system32\winlagan.exe
C:\Documents and Settings\arijit_saha\Application Data\ntos.exe
C:\SYSROOT\system32\3F4A937388.dll
C:\SYSROOT\system32\b7jcHt1m.exe
C:\SYSROOT\Tasks\At1.job
C:\SYSROOT\Tasks\At10.job
C:\SYSROOT\Tasks\At11.job
C:\SYSROOT\Tasks\At12.job
C:\SYSROOT\Tasks\At13.job
C:\SYSROOT\Tasks\At14.job
C:\SYSROOT\Tasks\At15.job
C:\SYSROOT\Tasks\At16.job
C:\SYSROOT\Tasks\At17.job
C:\SYSROOT\Tasks\At18.job
C:\SYSROOT\Tasks\At19.job
C:\SYSROOT\Tasks\At2.job
C:\SYSROOT\Tasks\At20.job
C:\SYSROOT\Tasks\At21.job
C:\SYSROOT\Tasks\At22.job
C:\SYSROOT\Tasks\At23.job
C:\SYSROOT\Tasks\At24.job
C:\SYSROOT\Tasks\At3.job
C:\SYSROOT\Tasks\At4.job
C:\SYSROOT\Tasks\At5.job
C:\SYSROOT\Tasks\At6.job
C:\SYSROOT\Tasks\At8.job
C:\SYSROOT\Tasks\At9.job

Driver::
TrkWksSENS
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Step 3
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will now start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step 4
I'd like to see an uninstall list.
Open HijackThis... click on Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save..... copy and paste the results in your next post.
More information with a screenshot, can be found here.

In your next reply, please submit:
New ComboFix.txt
Kaspersky scan result.
Uninstall list
and a new Hjt log.

BBPP6nz.png


#14 asaha

asaha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 28 April 2008 - 08:40 PM

Hi Starbuck,

Please find below the New ComboFix.txt, Uninstall list and the new Hjt log.

The Kaspersky scan log is preety big in size and I will paste it in multiple posts

ComboFix 08-04-24.1 - Arijit_Saha 2008-04-26 11:29:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.192 [GMT -4:00]
Running from: C:\Documents and Settings\arijit_saha\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\arijit_saha\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\arijit_saha\Application Data\ntos.exe
C:\jehebe.exe
C:\p2hhr.bat
C:\qxab.exe
C:\SYSROOT\system32\1033r.exe
C:\SYSROOT\system32\3F4A937388.dll
C:\SYSROOT\system32\b7jcHt1m.exe
C:\SYSROOT\system32\JFIEHAYD.DLL.0.AVB
C:\SYSROOT\system32\kdrvy.exe
C:\SYSROOT\system32\pokd275.exe
C:\SYSROOT\system32\pokd314.exe
C:\SYSROOT\system32\pokd374.exe
C:\SYSROOT\system32\pokd406.exe
C:\SYSROOT\system32\pokd407.exe
C:\SYSROOT\system32\pokd414.exe
C:\SYSROOT\system32\pokd446.exe
C:\SYSROOT\system32\pokd451.exe
C:\SYSROOT\system32\pokd463.exe
C:\SYSROOT\system32\pokd468.exe
C:\SYSROOT\system32\pokd888.exe
C:\SYSROOT\system32\winlagan.exe
C:\SYSROOT\Tasks\At1.job
C:\SYSROOT\Tasks\At10.job
C:\SYSROOT\Tasks\At11.job
C:\SYSROOT\Tasks\At12.job
C:\SYSROOT\Tasks\At13.job
C:\SYSROOT\Tasks\At14.job
C:\SYSROOT\Tasks\At15.job
C:\SYSROOT\Tasks\At16.job
C:\SYSROOT\Tasks\At17.job
C:\SYSROOT\Tasks\At18.job
C:\SYSROOT\Tasks\At19.job
C:\SYSROOT\Tasks\At2.job
C:\SYSROOT\Tasks\At20.job
C:\SYSROOT\Tasks\At21.job
C:\SYSROOT\Tasks\At22.job
C:\SYSROOT\Tasks\At23.job
C:\SYSROOT\Tasks\At24.job
C:\SYSROOT\Tasks\At3.job
C:\SYSROOT\Tasks\At4.job
C:\SYSROOT\Tasks\At5.job
C:\SYSROOT\Tasks\At6.job
C:\SYSROOT\Tasks\At8.job
C:\SYSROOT\Tasks\At9.job
C:\tlmnmae.exe
C:\wqcltxk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\arijit_saha\Application Data\ntos.exe
C:\jehebe.exe
C:\p2hhr.bat
C:\qxab.exe
C:\SYSROOT\system32\1033r.exe
C:\SYSROOT\system32\3F4A937388.dll
C:\SYSROOT\system32\DelSelf.bat
C:\SYSROOT\system32\JFIEHAYD.DLL.0.AVB
C:\SYSROOT\system32\kdrvy.exe
C:\SYSROOT\system32\pokd275.exe
C:\SYSROOT\system32\pokd314.exe
C:\SYSROOT\system32\pokd374.exe
C:\SYSROOT\system32\pokd406.exe
C:\SYSROOT\system32\pokd407.exe
C:\SYSROOT\system32\pokd414.exe
C:\SYSROOT\system32\pokd446.exe
C:\SYSROOT\system32\pokd451.exe
C:\SYSROOT\system32\pokd463.exe
C:\SYSROOT\system32\pokd468.exe
C:\SYSROOT\system32\pokd888.exe
C:\SYSROOT\system32\winlagan.exe
C:\SYSROOT\Tasks\At1.job
C:\SYSROOT\Tasks\At10.job
C:\SYSROOT\Tasks\At11.job
C:\SYSROOT\Tasks\At12.job
C:\SYSROOT\Tasks\At13.job
C:\SYSROOT\Tasks\At14.job
C:\SYSROOT\Tasks\At15.job
C:\SYSROOT\Tasks\At16.job
C:\SYSROOT\Tasks\At17.job
C:\SYSROOT\Tasks\At18.job
C:\SYSROOT\Tasks\At19.job
C:\SYSROOT\Tasks\At2.job
C:\SYSROOT\Tasks\At20.job
C:\SYSROOT\Tasks\At21.job
C:\SYSROOT\Tasks\At22.job
C:\SYSROOT\Tasks\At23.job
C:\SYSROOT\Tasks\At24.job
C:\SYSROOT\Tasks\At3.job
C:\SYSROOT\Tasks\At4.job
C:\SYSROOT\Tasks\At5.job
C:\SYSROOT\Tasks\At6.job
C:\SYSROOT\Tasks\At8.job
C:\SYSROOT\Tasks\At9.job
C:\tlmnmae.exe
C:\wqcltxk.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TRKWKSSENS
-------\Service_TrkWksSENS


((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-15 21:53 . 2008-03-01 09:06 6,066,176 -----c--- C:\SYSROOT\system32\dllcache\ieframe.dll
2008-04-15 21:53 . 2007-06-30 23:31 2,455,488 -----c--- C:\SYSROOT\system32\dllcache\ieapfltr.dat
2008-04-15 21:53 . 2007-06-30 23:36 991,232 -----c--- C:\SYSROOT\system32\dllcache\ieframe.dll.mui
2008-04-15 21:53 . 2008-03-01 09:06 459,264 -----c--- C:\SYSROOT\system32\dllcache\msfeeds.dll
2008-04-15 21:53 . 2008-03-01 09:06 383,488 -----c--- C:\SYSROOT\system32\dllcache\ieapfltr.dll
2008-04-15 21:53 . 2008-03-01 09:06 267,776 -----c--- C:\SYSROOT\system32\dllcache\iertutil.dll
2008-04-15 21:53 . 2008-03-01 09:06 63,488 -----c--- C:\SYSROOT\system32\dllcache\icardie.dll
2008-04-15 21:53 . 2008-03-01 09:06 52,224 -----c--- C:\SYSROOT\system32\dllcache\msfeedsbs.dll
2008-04-15 21:53 . 2008-02-22 06:00 13,824 -----c--- C:\SYSROOT\system32\dllcache\ieudinit.exe
2008-04-15 21:24 . 2008-04-15 21:24 118 --a------ C:\SYSROOT\system32\MRT.INI
2008-04-15 03:02 . 2008-04-15 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-13 21:00 . 2007-07-30 19:18 34,136 --a------ C:\SYSROOT\system32\wucltui.dll.mui
2008-04-13 21:00 . 2007-07-30 19:19 25,944 --a------ C:\SYSROOT\system32\wuaucpl.cpl.mui
2008-04-13 21:00 . 2007-07-30 19:19 25,944 --a------ C:\SYSROOT\system32\wuapi.dll.mui
2008-04-13 21:00 . 2007-07-30 19:18 20,312 --a------ C:\SYSROOT\system32\wuaueng.dll.mui
2008-04-13 20:53 . 2008-04-13 22:00 <DIR> d-------- C:\fixwareout
2008-04-13 20:34 . 2008-04-13 20:34 <DIR> d-------- C:\SYSROOT\ERUNT
2008-04-13 20:33 . 2008-04-13 20:33 <DIR> d-------- C:\SDFix
2008-03-26 21:40 . 2008-03-26 21:40 <DIR> d-------- C:\!KillBox
2008-03-26 21:22 . 2008-03-26 21:22 <DIR> d-------- C:\Auto_Run

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 05:22 --------- d-----w C:\Program Files\Yahoo!
2008-04-14 05:22 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\Yahoo
2008-04-14 05:19 --------- d-----w C:\Program Files\Audible
2008-04-14 04:47 --------- d-----w C:\Program Files\Google
2008-04-14 04:36 --------- d-----w C:\Documents and Settings\arijit_saha\Application Data\Move Networks
2008-04-14 04:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 02:15 --------- d-----w C:\Program Files\Common Files\Real
2008-04-14 01:55 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\yahoo!
2008-04-14 01:51 --------- d-----w C:\Program Files\Creative
2008-04-14 01:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-14 01:22 --------- d---a-w C:\Documents and Settings\All Users.SYSROOT\Application Data\TEMP
2008-03-23 20:54 --------- d-----w C:\Documents and Settings\CCD\Application Data\Grisoft
2008-03-23 20:18 --------- d-----w C:\Documents and Settings\arijit_saha\Application Data\Grisoft
2008-03-23 20:18 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\Grisoft
2008-03-23 17:29 --------- d-----w C:\Documents and Settings\CCD\Application Data\Motive
2008-03-11 03:25 --------- d-----w C:\Program Files\Trend Micro
2008-03-11 02:24 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\McAfee
2008-03-06 03:43 --------- d-----w C:\Documents and Settings\CCD\Application Data\Malwarebytes
2008-03-06 03:22 --------- d-----w C:\Documents and Settings\arijit_saha\Application Data\Malwarebytes
2008-03-06 03:22 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\Malwarebytes
2008-03-04 04:52 --------- d-----w C:\Documents and Settings\All Users.SYSROOT\Application Data\TVU Networks
2007-09-04 01:30 284 ----a-w C:\Documents and Settings\arijit_saha\Application Data\ViewerApp.dat
2007-01-31 01:15 9,452,296 ----a-w C:\Program Files\yahoo_bejeweled2_tm1-1.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-20_23.16.19.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-18 01:00:19 2,048 --s-a-w C:\SYSROOT\bootstat.dat
+ 2008-04-26 15:33:53 2,048 --s-a-w C:\SYSROOT\bootstat.dat
+ 2005-10-21 00:02:28 163,328 ----a-w C:\SYSROOT\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 504,080 2004-04-06 11:44:48 C:\Program Files\CA\eTrust Antivirus\bak\realmon.exe

----a-w 36,975 2005-11-10 07:33:52 C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 4,886,528 2004-10-15 10:33:26 C:\Program Files\MSN Messenger\bak\msnmsgr.exe

----a-w 495,616 2004-01-22 09:08:36 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 98,304 2004-01-22 09:09:00 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-w 126,976 2003-01-21 12:30:06 C:\Program Files\Toshiba\TouchED\bak\TouchED.Exe

----a-w 49,152 2002-09-09 09:37:34 C:\Program Files\Toshiba\Wireless Hotkey\bak\TosHKCW.exe

----a-w 438,359 2006-06-23 16:33:02 C:\Program Files\Verizon\SmartBridge\bak\MotiveSB.exe

----a-w 4,662,776 2006-10-30 22:05:54 C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

----a-w 258,048 2004-06-28 11:54:28 C:\SYSROOT\system32\bak\00THotkey.exe

----a-w 15,360 2004-08-03 19:26:50 C:\SYSROOT\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-03 19:26:50 C:\SYSROOT\system32\ctfmon.exe

----a-r 126,976 2004-10-25 00:52:00 C:\SYSROOT\system32\bak\hkcmd.exe

----a-r 155,648 2004-10-25 00:56:00 C:\SYSROOT\system32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\SYSROOT\system32\ctfmon.exe" [2004-08-03 15:26 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe" [2001-06-23 10:58 24576 C:\SYSROOT\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [2004-06-28 00:52 73728 C:\SYSROOT\system32\TFNF5.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe" [2007-09-25 22:23 75256]
"RegistryMechanic"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-05 10:44 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 19:52 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 16:20 2061816]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 21:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 21:50 1603152]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 10:03 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 13:02 79400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="D:\picasa\Picasa2\PicasaMediaDetector.exe" [ ]

C:\Documents and Settings\blrkeclxxxxxadm\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 04:36:14 59080]

C:\Documents and Settings\All Users.SYSROOT\Start Menu\Programs\Startup\
RAMASST.lnk - C:\SYSROOT\system32\RAMASST.exe [2006-03-22 08:41:56 155648]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-03-22 07:37:37 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-06-19 03:31 24669 C:\SYSROOT\system32\ckpNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\SYSROOT\\system32\\dpvsetup.exe"=
"C:\\SYSROOT\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\SYSROOT\\system32\\sessmgr.exe"=
"C:\\SYSROOT\\system32\\rundll32.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\SYSROOT\system32\DRIVERS\thpdrv.sys [2004-11-30 12:19]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\SYSROOT\system32\DRIVERS\Thpevm.SYS [2004-11-13 02:54]
R2 CcmExec;SMS Agent Host;C:\SYSROOT\system32\CCM\CcmExec.exe [2004-08-03 17:35]
R2 CP_OMDRV;Check Point Office Mode Module;C:\SYSROOT\system32\drivers\omdrv.sys [2005-06-19 03:31]
R2 IDispChgService;IDispChg Service;C:\SYSROOT\system32\IDispChg.exe [2004-03-30 09:13]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 12:20]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\SYSROOT\system32\DRIVERS\vnasc.sys [2005-06-19 03:30]
R2 VPN-1;VPN-1 Module;C:\SYSROOT\system32\drivers\vpn.sys [2005-06-19 03:30]
R3 FW1;SecuRemote Miniport;C:\SYSROOT\system32\DRIVERS\fw.sys [2005-06-19 03:30]
S3 hamachi_oem;PlayLinc Adapter;C:\SYSROOT\system32\DRIVERS\gan_adapter.sys [2006-09-27 17:12]
S3 prepdrvr;SMS Process Event Driver;C:\SYSROOT\system32\CCM\prepdrv.sys [2004-06-26 17:20]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 10:00:00 C:\SYSROOT\Tasks\At7.job"
- C:\SYSROOT\system32\b7jcHt1m.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 11:34:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\SYSROOT\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\SYSROOT\system32\wdfmgr.exe
C:\SYSROOT\system32\CCM\clicomp\RemCtrl\Wuser32.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\SYSROOT\system32\msiexec.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\SYSROOT\system32\Macromed\Flash\FlashUtil9d.exe
.
**************************************************************************
.
Completion time: 2008-04-26 11:38:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 15:38:00
ComboFix2.txt 2008-04-21 03:16:35

Pre-Run: 13,896,044,544 bytes free
Post-Run: 13,809,008,640 bytes free

284 --- E O F --- 2008-04-16 01:56:25



Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.1
AVG Anti-Spyware 7.5
CA eTrust Antivirus
Canon MP Navigator EX 1.0
Canon MP470 series
Canon MP470 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Check Point VPN-1 SecureClient NGX R60
C-Major Audio
DART
DVD-RAM Driver
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB928388)
ImageMixer VCD2
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
InterVideo WinDVD for TOSHIBA
iPassConnect
J2SE Runtime Environment 5.0 Update 13
J2SE Runtime Environment 5.0 Update 6
Java 2 SDK Standard Edition v1.3
Kaspersky Online Scanner
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft Visual C++ 2005 Redistributable
MSN Messenger 6.2
MSXML 4.0 SP2 (KB936181)
PIXMA Extended Survey Program
Registry Mechanic 6.0
ScanSoft OmniPage SE 4
SD Secure Module
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Sony USB Driver
Synaptics Pointing Device Driver
TOSHIBA Display Service for Ext.Monitor
TOSHIBA Hotkey Utility for Display Devices
TOSHIBA PC Diagnostic Tool
TOSHIBA Software Modem
TOSHIBA TouchPad On/Off Utility V2.05.00
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Verizon High Speed Internet
Verizon Online Help and Support
Verizon PC Security Checkup
Verizon Servicepoint 1.5.12
Verizon Yahoo! Applications
Whale Communications' Client Components v3.1.2
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows Messenger 5.1
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
Wireless Hotkey



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:50, on 2008-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\SYSROOT\System32\smss.exe
C:\SYSROOT\system32\winlogon.exe
C:\SYSROOT\system32\services.exe
C:\SYSROOT\system32\lsass.exe
C:\SYSROOT\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\SYSROOT\system32\svchost.exe
C:\SYSROOT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\SYSROOT\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\SYSROOT\system32\IDispChg.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\SYSROOT\system32\svchost.exe
C:\SYSROOT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\SYSROOT\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\SYSROOT\system32\TFNF5.exe
C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\SYSROOT\system32\ctfmon.exe
C:\SYSROOT\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\SYSROOT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust Antivirus\bak\realmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\SYSROOT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\picasa\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\picasa\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\SYSROOT\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\npjpi150_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\npjpi150_13.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\SYSROOT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\SYSROOT\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://connectibdplus.gs.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\SYSROOT\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: IDispChg Service (IDispChgService) - Unknown owner - C:\SYSROOT\system32\IDispChg.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

--
End of file - 8080 bytes

#15 asaha

asaha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 28 April 2008 - 10:37 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-04-26 13:46
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/04/2008
Kaspersky Anti-Virus database records: 726528
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 55184
Number of viruses found: 7
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 00:49:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\altg.exe Infected: Trojan-Spy.Win32.Banker.gul skipped
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wcktts.exe Infected: Trojan-Spy.Win32.Banker.gwv skipped
C:\Documents and Settings\All Users.SYSROOT\_qbothome\q1.8205 Infected: Backdoor.Win32.Agent.aiy skipped
C:\Documents and Settings\All Users.SYSROOT\_qbothome\u\_qbot.dll Infected: Backdoor.Win32.Agent.aiy skipped
C:\Documents and Settings\All Users.SYSROOT\_qbothome\_qbot.dll Infected: Backdoor.Win32.Agent.aiy skipped
C:\Documents and Settings\arijit_saha\Application Data\Verizon\VSP\client_gateway.log Object is locked skipped
C:\Documents and Settings\arijit_saha\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\arijit_saha\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\arijit_saha\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\arijit_saha\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\arijit_saha\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\arijit_saha\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\arijit_saha\ntuser.dat Object is locked skipped
C:\Documents and Settings\arijit_saha\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.dbf Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.ntx Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\default-000000.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\default-000000.logaccount_ptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\default-000000.loginitial_ptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\default-000000.logLuuidDB Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\default-000000.logptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000000.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000000.logaccount_ptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000000.loginitial_ptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000000.logLuuidDB Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000000.logptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\sr_gui_tde.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\sr_service_tde.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\sr_watchdog_tde.log Object is locked skipped
C:\Program Files\iPass\iPassConnect\pbupdate\pbook.mdb.ldb Object is locked skipped
C:\Program Files\iPass\iPassConnect\pbupdate\pbook.mdb.temp Object is locked skipped
C:\Program Files\iPass\iPassConnect\pbupdate\pbook.txt.9752 Object is locked skipped
C:\Program Files\iPass\iPassConnect\tmp\media.csv Object is locked skipped
C:\Program Files\iPass\iPassConnect\tmp\pbook.csv Object is locked skipped
C:\Program Files\iPass\iPassConnect\tmp\price.csv Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\arijit_saha\Application Data\ntos.exe.vir Infected: Trojan-Spy.Win32.Zbot.eb skipped
C:\QooBox\Quarantine\C\jehebe.exe.vir Infected: Trojan-Downloader.Win32.Agent.lxl skipped
C:\QooBox\Quarantine\C\ntldr.sys.vir Infected: Trojan-Proxy.Win32.Pixoliz.ix skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\1033r.exe.vir Infected: Trojan.Win32.Inject.aet skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd275.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd314.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd374.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd406.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd407.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd414.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd446.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd451.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd463.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd468.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\pokd888.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\ssqopmk.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\system32\winlagan.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At1.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At10.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At11.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At12.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At13.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At14.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At15.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At16.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At17.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At18.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At19.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At2.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At20.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At21.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At22.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At23.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At24.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At3.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At4.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At5.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At6.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At8.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\SYSROOT\Tasks\At9.job.vir Object is locked skipped
C:\QooBox\Quarantine\C\tlmnmae.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\wqcltxk.exe.vir Object is locked skipped
C:\QooBox\Quarantine\catchme.log Object is locked skipped
C:\QooBox\Quarantine\catchme2008-04-15_ 72921.30.zip Object is locked skipped
C:\QooBox\Quarantine\D\AUTORUN.INF.vir Object is locked skipped
C:\QooBox\Quarantine\Registry_backups\Legacy_TRKWKSSENS.reg.dat Object is locked skipped
C:\QooBox\Quarantine\Registry_backups\Service_TrkWksSENS.reg.dat Object is locked skipped
C:\QooBox\snapshot@2008-04-20_23.16.19.60.dat Object is locked skipped
C:\QooBox\snapshot@2008-04-20_23.16.19.60_B.dat Object is locked skipped
C:\SDFix\SDFix\AdminCheck2.txt Object is locked skipped
C:\SDFix\SDFix\apps\assosfix.reg Object is locked skipped
C:\SDFix\SDFix\apps\cliptext.exe Object is locked skipped
C:\SDFix\SDFix\apps\download.exe Object is locked skipped
C:\SDFix\SDFix\apps\dummy.sys Object is locked skipped
C:\SDFix\SDFix\apps\Enable_Command_Prompt.reg Object is locked skipped
C:\SDFix\SDFix\apps\ERDNT.E_E Object is locked skipped
C:\SDFix\SDFix\apps\ERDNTDOS.LOC Object is locked skipped
C:\SDFix\SDFix\apps\ERDNTWIN.LOC Object is locked skipped
C:\SDFix\SDFix\apps\ERUNT.EXE Object is locked skipped
C:\SDFix\SDFix\apps\ERUNT.LOC Object is locked skipped
C:\SDFix\SDFix\apps\fix.reg Object is locked skipped
C:\SDFix\SDFix\apps\FixBH.reg Object is locked skipped
C:\SDFix\SDFix\apps\FixComponents.reg Object is locked skipped
C:\SDFix\SDFix\apps\FIXCU.reg Object is locked skipped
C:\SDFix\SDFix\apps\FIXLM.reg Object is locked skipped
C:\SDFix\SDFix\apps\FixPath.exe Object is locked skipped
C:\SDFix\SDFix\apps\FixRedir.reg Object is locked skipped
C:\SDFix\SDFix\apps\FixSchedule.reg Object is locked skipped
C:\SDFix\SDFix\apps\FixWebCheck.reg Object is locked skipped
C:\SDFix\SDFix\apps\fixXP.reg Object is locked skipped
C:\SDFix\SDFix\apps\FixXPsp2.reg Object is locked skipped
C:\SDFix\SDFix\apps\grep.exe Object is locked skipped
C:\SDFix\SDFix\apps\HPFix.reg Object is locked skipped
C:\SDFix\SDFix\apps\HPFix2.reg Object is locked skipped
C:\SDFix\SDFix\apps\HPFix3.reg Object is locked skipped
C:\SDFix\SDFix\apps\HPFix4.reg Object is locked skipped
C:\SDFix\SDFix\apps\HPFix5.reg Object is locked skipped
C:\SDFix\SDFix\apps\HPFix6.reg Object is locked skipped
C:\SDFix\SDFix\apps\HPFix7.reg Object is locked skipped
C:\SDFix\SDFix\apps\isadmin.exe Object is locked skipped
C:\SDFix\SDFix\apps\leg2.txt Object is locked skipped
C:\SDFix\SDFix\apps\legacy.txt Object is locked skipped
C:\SDFix\SDFix\apps\legacybk.txt Object is locked skipped
C:\SDFix\SDFix\apps\locate.com Object is locked skipped
C:\SDFix\SDFix\apps\LS.exe Object is locked skipped
C:\SDFix\SDFix\apps\MD5File.exe Object is locked skipped
C:\SDFix\SDFix\apps\MyGcpvFix.reg Object is locked skipped
C:\SDFix\SDFix\apps\MyGkFix2.reg Object is locked skipped
C:\SDFix\SDFix\apps\Process.exe Object is locked skipped
C:\SDFix\SDFix\apps\procs.exe Object is locked skipped
C:\SDFix\SDFix\apps\psservice.exe Object is locked skipped
C:\SDFix\SDFix\apps\Rem.txt Object is locked skipped
C:\SDFix\SDFix\apps\Rem2.txt Object is locked skipped
C:\SDFix\SDFix\apps\Replace\regedit.exe Object is locked skipped
C:\SDFix\SDFix\apps\Replace\w2k\beep.sys Object is locked skipped
C:\SDFix\SDFix\apps\Replace\w2k\null.sys Object is locked skipped
C:\SDFix\SDFix\apps\Replace\W2K.exe Object is locked skipped
C:\SDFix\SDFix\apps\Replace\xp\beep.sys Object is locked skipped
C:\SDFix\SDFix\apps\Replace\xp\null.sys Object is locked skipped
C:\SDFix\SDFix\apps\Replace\XP.exe Object is locked skipped
C:\SDFix\SDFix\apps\Reset_AppInit_DLLs.reg Object is locked skipped
C:\SDFix\SDFix\apps\RestartIt!.exe Object is locked skipped
C:\SDFix\SDFix\apps\Restore_SecurityCenter.reg Object is locked skipped
C:\SDFix\SDFix\apps\Restore_SharedAccess.reg Object is locked skipped
C:\SDFix\SDFix\apps\sc.exe Object is locked skipped
C:\SDFix\SDFix\apps\sed.exe Object is locked skipped
C:\SDFix\SDFix\apps\SF.exe Object is locked skipped
C:\SDFix\SDFix\apps\shutdown.exe Object is locked skipped
C:\SDFix\SDFix\apps\srv2.txt Object is locked skipped
C:\SDFix\SDFix\apps\srv2bk.txt Object is locked skipped
C:\SDFix\SDFix\apps\svc.txt Object is locked skipped
C:\SDFix\SDFix\apps\svcbk.txt Object is locked skipped
C:\SDFix\SDFix\apps\swreg.exe Object is locked skipped
C:\SDFix\SDFix\apps\swsc.exe Object is locked skipped
C:\SDFix\SDFix\apps\unzip.exe Object is locked skipped
C:\SDFix\SDFix\apps\vfind.exe Object is locked skipped
C:\SDFix\SDFix\apps\WINMSG.EXE Object is locked skipped
C:\SDFix\SDFix\apps\winsec.reg Object is locked skipped
C:\SDFix\SDFix\apps\zip.exe Object is locked skipped
C:\SDFix\SDFix\attrib.exe Object is locked skipped
C:\SDFix\SDFix\backupreg\AppInit_DLLs.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\bat_shell_open.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\BHO.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\com_shell_open.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\ControlPanel_Load.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\Drivers32.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\exe_shell_open.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\HKCURun.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\HKCURunServices.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\HKCU_SOFTWARE_Policy.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\HKCU_WINDOWS_Policy.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\HKLMRun.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\HKLMRunServices.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\HKLM_SOFTWARE_Policy.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\HKLM_WINDOWS_Policy.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\hta_shell_open.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\IEDesktop.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\IEMain.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\Installed_Components.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\pif_shell_open.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\reg_shell_open.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\SecurityProviders.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\SharedTaskScheduler.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\ShellServiceObjectDelayLoad.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\SubSystems.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\txt_shell_open.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\Winlogon.reg Object is locked skipped
C:\SDFix\SDFix\backupreg\WinlogonNotify.reg Object is locked skipped
C:\SDFix\SDFix\backups\1143780040 Object is locked skipped
C:\SDFix\SDFix\backups\1204637172.dll Object is locked skipped
C:\SDFix\SDFix\backups\16C4.tmp.lst Object is locked skipped
C:\SDFix\SDFix\backups\1A9.tmp Object is locked skipped
C:\SDFix\SDFix\backups\2BA0.tmp.lst Object is locked skipped
C:\SDFix\SDFix\backups\39BF.tmp.lst Object is locked skipped
C:\SDFix\SDFix\backups\439E.tmp.lst Object is locked skipped
C:\SDFix\SDFix\backups\4A33.tmp.lst Object is locked skipped
C:\SDFix\SDFix\backups\6324.tmp.lst Object is locked skipped
C:\SDFix\SDFix\backups\6C84.tmp.lst Object is locked skipped
C:\SDFix\SDFix\backups\6FE7.tmp.lst Object is locked skipped
C:\SDFix\SDFix\backups\71B9.tmp.lst Object is locked skipped
C:\SDFix\SDFix\backups\764.exe Object is locked skipped
C:\SDFix\SDFix\backups\7search.dll Object is locked skipped
C:\SDFix\SDFix\backups\absolute key logger.lnk Object is locked skipped
C:\SDFix\SDFix\backups\ace16win.dll Object is locked skipped
C:\SDFix\SDFix\backups\aconti.exe Object is locked skipped
C:\SDFix\SDFix\backups\aconti.ini Object is locked skipped
C:\SDFix\SDFix\backups\aconti.log Object is locked skipped
C:\SDFix\SDFix\backups\aconti.sdb Object is locked skipped
C:\SDFix\SDFix\backups\acontidialer.txt Object is locked skipped
C:\SDFix\SDFix\backups\adbar.dll Object is locked skipped
C:\SDFix\SDFix\backups\adult.txt Object is locked skipped
C:\SDFix\SDFix\backups\agehhtd.cat Object is locked skipped
C:\SDFix\SDFix\backups\akl.dll Object is locked skipped
C:\SDFix\SDFix\backups\akl.exe Object is locked skipped
C:\SDFix\SDFix\backups\asbar.dll Object is locked skipped
C:\SDFix\SDFix\backups\ASearchAssist.dll Object is locked skipped
C:\SDFix\SDFix\backups\awmsg.dat Object is locked skipped
C:\SDFix\SDFix\backups\BarLcher.dll Object is locked skipped
C:\SDFix\SDFix\backups\cbinst$.exe Object is locked skipped
C:\SDFix\SDFix\backups\CREDIGUI.DLL.0.AVB Object is locked skipped
C:\SDFix\SDFix\backups\csrssc.exe Object is locked skipped
C:\SDFix\SDFix\backups\curlog.htm Object is locked skipped
C:\SDFix\SDFix\backups\daxtime.dll Object is locked skipped
C:\SDFix\SDFix\backups\default.htm Object is locked skipped
C:\SDFix\SDFix\backups\dp0.dll Object is locked skipped
C:\SDFix\SDFix\backups\ESHOPEE.exe Object is locked skipped
C:\SDFix\SDFix\backups\eventlowg.dll Object is locked skipped
C:\SDFix\SDFix\backups\fhfmm-Uninstaller.exe Object is locked skipped
C:\SDFix\SDFix\backups\fhfmm.exe Object is locked skipped
C:\SDFix\SDFix\backups\FileList.txt Object is locked skipped
C:\SDFix\SDFix\backups\finance.txt Object is locked skipped
C:\SDFix\SDFix\backups\flt.dll Object is locked skipped
C:\SDFix\SDFix\backups\ftpdll.dll Object is locked skipped
C:\SDFix\SDFix\backups\guid.dat Object is locked skipped
C:\SDFix\SDFix\backups\hcwprn.exe Object is locked skipped
C:\SDFix\SDFix\backups\helper.dll Object is locked skipped




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users