Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Laptop Infected With "warning Spyware Detected On Your Computer"


  • This topic is locked This topic is locked
5 replies to this topic

#1 spyware_victim

spyware_victim

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 23 April 2008 - 10:19 AM

Gurus,
Please help me. My desktop is turned in to blue with message "warning Spyware Detected On Your Computer".
I do have many more issues with system running very slow and not able to login to my outlook ( it always shows the status Disconnected)

Thanks in advance. Please find belwo my hijack log.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:03 AM, on 4/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\orant\bin\ifsrv60.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\orant\bin\ifweb60.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Omnipod\POD\omnipod.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN4.tmp
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Quest Software\TOAD\TOAD.exe
C:\Program Files\Quest Software\TOAD\TOAD.exe
C:\Program Files\Cisco Systems\Cisco IP Communicator\Communicator.exe
C:\WINDOWS\System32\DllHost.exe
C:\WINDOWS\System32\DllHost.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Quest Software\TOAD\TOAD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hummingbird\Connectivity\8.00\HostExplorer\Hostex32.exe
C:\PROGRA~1\HUMMIN~1\CONNEC~1\8.00\HOSTEX~1\HEOleAut.exe
C:\Program Files\Hummingbird\Connectivity\8.00\Hummingbird Neighborhood\HNWAIT.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temps\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.uhhs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.uhhs.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHHS, Inc.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKUS\S-1-5-21-191044553-1107890727-1469997231-60088\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-191044553-1107890727-1469997231-60088\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe (User '?')
O4 - Global Startup: POD.lnk = C:\Program Files\Omnipod\POD\omnipod.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.uhhs.com
O15 - Trusted Zone: *.fcg.com (HKLM)
O15 - Trusted Zone: http://*.kronosprod (HKLM)
O15 - Trusted Zone: http://www.ohiobwc.com (HKLM)
O15 - Trusted Zone: *.smsrsm.com (HKLM)
O15 - Trusted Zone: *.uhanes.com (HKLM)
O15 - Trusted Zone: *.uhcanesthesia.com (HKLM)
O15 - Trusted Zone: *.uhhs.com (HKLM)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {332bd5a0-8000-11d7-b657-00c04faedb18} (Oracle JInitiator 1.1.8.22) -
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://uhsuntap2.uhhs.com:8035/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uhhs.com
O17 - HKLM\Software\..\Telephony: DomainName = uhhs.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{18E10B9F-C1C3-4AB4-ACA3-8F6EC4882FE0}: NameServer = 202.144.105.4,202.144.10.50
O17 - HKLM\System\CCS\Services\Tcpip\..\{35FA48F9-2E9A-45C6-878A-A329535291CC}: Domain = uhhs.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35FA48F9-2E9A-45C6-878A-A329535291CC}: NameServer = 10.51.107.20,10.50.16.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{736D8F84-C335-4D84-AB99-4569CF5F9A78}: NameServer = 218.248.240.24 218.248.240.141
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFAF7106-808F-4599-9ABF-17578CE0188A}: NameServer = 203.145.184.13,202.56.250.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uhhs.com
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Oracle Forms Server [Forms60Server-Orant] (OracleFormsServer-Forms60Server-Orant) - Oracle Corporation - C:\orant\bin\ifsrv60.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOrantClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9525 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:05 PM

Posted 23 April 2008 - 11:04 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 spyware_victim

spyware_victim
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 24 April 2008 - 09:24 AM

Sam ,Thanks for your quick reply. My system is going from bad to worse. Everything is damn slow now and I feel it is going to be dead in a day or two.

Please find my combofix log below.
Thanks again for your help


ComboFix 08-04-22.5 - KCheruv1 2008-04-24 10:00:38.1 - NTFSx86
Running from: C:\Documents and Settings\kcheruv1\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Windows Media Player\peryt777444.dll
C:\Program Files\Windows Media Player\peryt89104.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\MyWebEx
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atarm.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atas32.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasanot.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasctrl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasnt40.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atdl2006.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atkbctl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atlchat.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atnetext.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atpack.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\attp.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\raurl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\uilibres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\webexmgr.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\stem~1
C:\WINDOWS\stem~1\??stem\
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\c4\np89104.exe
C:\WINDOWS\system32\dfgdfg.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\nwlnkfwdd.sys
C:\WINDOWS\system32\drivers\Rxe52.sys
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\k8
C:\WINDOWS\system32\k8\ravecom3.exe
C:\WINDOWS\system32\l3acdb.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqstv.bak1
C:\WINDOWS\system32\qausgufh.ini
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\r2\renabcom4.exe
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\x3
C:\WINDOWS\system32\xoxaaxak.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_DOMAINSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NWLNKFWDD
-------\Legacy_RUNTIME
-------\Legacy_RXE52
-------\Legacy_SYMAVC32
-------\Service_nwlnkfwdd
-------\Service_Rxe52
-------\Service_symavc32
-------\Legacy_Schedule
-------\Service_Schedule


((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 03:59 . 2008-04-24 03:59 141 --a------ C:\deb.sbl
2008-04-23 17:22 . 2008-04-23 17:22 4,476 --a------ C:\char_sameer.sql
2008-04-23 17:08 . 2008-04-23 17:08 10,752 --a------ C:\error_PO_nums.xls
2008-04-23 13:10 . 2008-04-23 13:16 83,968 --a------ C:\SR7131 LMS Certificates.doc
2008-04-23 10:54 . 2008-04-23 10:55 <DIR> d-------- C:\Program Files\Panda Security
2008-04-23 10:35 . 2008-04-23 10:35 354 --a------ C:\look.bat
2008-04-23 10:31 . 2008-04-23 10:31 <DIR> d-------- C:\Documents and Settings\kcheruv1\Application Data\Grisoft
2008-04-23 10:30 . 2008-04-23 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-23 10:30 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-23 06:02 . 2007-04-23 06:05 8,192 --a------ C:\Documents and Settings\UH6226~2
2008-04-22 16:06 . 2008-04-22 16:06 <DIR> d-------- C:\Program Files\PrevxCSI
2008-04-22 16:06 . 2007-04-23 07:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-22 14:31 . 2008-04-22 14:31 77,312 --a------ C:\Note on Income Tax Declaration for the year 2008.doc
2008-04-22 14:31 . 2008-04-22 14:31 66,039 --a------ C:\Investment declaration Guide DEMO.pdf
2008-04-22 09:52 . 2008-04-21 09:54 74,863 -ra------ C:\UHLMS_Compliance_Template.rtf
2008-04-21 11:52 . 2008-04-21 14:28 20,992 --a------ C:\Copy of FCGI Technical Task List_042008.xls
2008-04-21 09:51 . 2008-04-21 09:51 1,270,955 --a------ C:\UHLMS_Certificate_Template.rtf
2008-04-18 08:55 . 2008-04-24 03:34 <DIR> d-------- C:\Program Files\Sify Broadband
2008-04-18 08:55 . 2008-04-24 09:31 <DIR> d-------- C:\Documents and Settings\kcheruv1\Application Data\Broadband
2008-04-17 16:57 . 2008-04-17 16:58 20,945 --a------ C:\enc_dc_po_0114208.sql
2008-04-17 14:00 . 2008-04-17 14:00 2,613 --a------ C:\ame_Test.sql
2008-04-17 13:00 . 2008-04-17 13:59 15,529 --a------ C:\UHHS_IEXPENSE_AME_API_tst1.prc
2008-04-17 12:31 . 2008-04-17 12:31 2,882,407 --a------ C:\complete_employee_list.xls
2008-04-17 12:16 . 2008-04-17 12:16 14,711 --a------ C:\UHHS_IEXPENSE_AME_API_tst2.prc
2008-04-16 09:07 . 2008-04-16 09:07 633 --a------ C:\email_count.sql
2008-04-15 18:18 . 2008-04-15 18:22 279,333 --a------ C:\email_null_emps.xls
2008-04-15 18:17 . 2008-04-15 18:24 839,307 --a------ C:\email_null.xls
2008-04-15 10:24 . 2008-04-22 11:17 27,738 --a------ C:\VoiceMessage.wav
2008-04-14 16:32 . 2008-04-14 17:17 12,048 --a------ C:\dup_items.xls
2008-04-14 13:57 . 2008-04-14 14:04 84,992 --a------ C:\SR7097 Alter Table.doc
2008-04-14 13:25 . 2008-04-16 16:33 14,012 --a------ C:\UHSTRATAINV_run.sql
2008-04-14 11:18 . 2008-04-14 11:35 40,960 --a------ C:\UH Outsourcing - Oracle Apps Tech Support - WSR FCGI_apr07.doc
2008-04-14 04:25 . 2008-04-14 04:25 133,120 --a------ C:\Intranet Corp Directory View Specification .doc
2008-04-14 03:20 . 2008-04-14 03:20 10,752 --a------ C:\assignment_status.xls
2008-04-14 02:54 . 2008-04-14 02:54 10,752 --a------ C:\person_types.xls
2008-04-11 23:46 . 2008-04-11 23:46 <DIR> d-------- C:\Windows malicious software removal tool
2008-04-11 17:34 . 2008-04-11 17:34 39,289 --a------ C:\JVUJEVI1.11516590
2008-04-11 12:41 . 2008-04-11 17:24 37,888 --a------ C:\Copy of UH Accountwise Associate Evaluation Form - Ramadevi.xls
2008-04-11 01:15 . 2008-04-11 01:26 598 --a------ C:\SR7081.cfg
2008-04-10 10:37 . 2008-03-27 10:59 28,672 --a------ C:\FCGI TEchnical Team task Lists.xls
2008-04-08 15:34 . 2008-04-11 10:16 13,769 --a------ C:\strata_inv_run.sql
2008-04-08 08:43 . 2008-04-08 15:37 15,719 --a------ C:\info.sql
2008-04-08 08:01 . 2008-04-08 08:01 229,376 --a------ C:\Nicole maronion.doc
2008-04-07 13:38 . 2008-04-07 13:48 40,960 --a------ C:\UH Outsourcing - Oracle Apps Tech Support - WSR FCGI_Mar29.doc
2008-04-07 09:07 . 2008-04-08 08:42 51,758 --a------ C:\SFXINWKB.err
2008-04-07 09:07 . 2008-04-07 09:07 11,014 --a------ C:\SFXVDMVD.err
2008-04-04 17:40 . 2008-04-04 17:40 262,144 --a------ C:\Documents and Settings\UH6226~1
2008-04-04 15:28 . 2008-04-09 16:28 <DIR> d-------- C:\170customforms
2008-04-04 15:18 . 2008-04-04 15:18 269,334 --a------ C:\WINDOWS\system32\hsrqlcr.bmp
2008-04-04 15:18 . 2008-04-04 15:18 24,029 --a------ C:\Documents and Settings\kcheruv1\cftmon.exe
2008-04-04 11:18 . 2008-04-04 11:20 <DIR> d-------- C:\Report Needed
2008-04-02 17:24 . 2008-04-02 17:35 43,520 --a------ C:\UH Outsourcing - Oracle Apps Tech Support - WSR FCGI_Mar22.doc
2008-04-02 17:13 . 2008-04-01 13:17 30,805 --a------ C:\UHHR_403B_MATCH_DATE_PKG.pls
2008-04-02 17:06 . 2008-04-02 17:08 83,968 --a------ C:\SR7016 Compensation Survey Discoverer Report Objects.doc
2008-04-02 16:47 . 2008-04-02 16:47 3,432 --a------ C:\uhhs_discover_rpt_pkg.pls
2008-04-02 14:14 . 2008-04-11 01:42 84,992 --a------ C:\SR7081 INV ATPAR Migration.doc
2008-04-02 10:59 . 2008-04-02 10:59 32,272 --a------ C:\cigna_run.sql
2008-04-01 15:51 . 2008-04-01 15:51 13,111 --a------ C:\dup_item_numbers_with_primary.xls
2008-04-01 13:33 . 2008-04-01 13:33 132,608 --a------ C:\Intranet Corp Directory View Specification.doc
2008-04-01 13:01 . 2008-04-01 13:01 6,852 --a------ C:\final_pm_query.sql
2008-03-31 18:08 . 2008-03-31 18:09 10,752 --a------ C:\2012047.xls
2008-03-31 17:06 . 2008-03-31 17:06 5,545 --a------ C:\pm_union.sql
2008-03-31 14:45 . 2008-04-02 10:59 2,034 --a------ C:\primary_mfg_part_num.sql
2008-03-31 11:41 . 2008-03-31 11:44 55,717 --a------ C:\primary.xls
2008-03-31 10:28 . 2008-04-01 13:01 11,051 --a------ C:\pm_junk.sql
2008-03-31 10:28 . 2008-04-01 13:02 9,951 --a------ C:\pm_junk2.sql
2008-03-31 07:29 . 2008-03-31 07:29 31,758 --a------ C:\1STDA50154406.xls
2008-03-31 07:24 . 2008-03-31 07:24 25,555 --a------ C:\1STDC80754295.xls
2008-03-28 02:14 . 2008-03-28 02:14 11,181 --a------ C:\loa_test.sql
2008-03-27 13:10 . 2008-03-27 13:10 92,368 --a------ C:\uhhs_adpper20080327121730.dat
2008-03-27 12:41 . 2008-03-27 12:41 21,967 --a------ C:\101438.xls
2008-03-27 09:16 . 2008-03-27 15:48 27,249 --a------ C:\par_run.sql
2008-03-27 09:16 . 2008-03-31 10:28 4,919 --a------ C:\pm_sql.sql
2008-03-27 02:45 . 2008-03-27 02:45 19,892 --a------ C:\bar_account_class.sql
2008-03-25 12:42 . 2008-03-25 12:42 20,509 --a------ C:\strata_feb01-10.xls
2008-03-25 10:35 . 2008-03-25 10:50 87,552 --a------ C:\SR6972.doc
2008-03-25 09:18 . 2008-03-26 01:25 4,461 --a------ C:\cmis_test_no_entity.sql
2008-03-25 09:09 . 2008-03-25 10:28 153 --a------ C:\SR6972.sql
2008-03-24 17:24 . 2008-03-24 17:24 56,320 --a------ C:\Hyderabad%20Airport%20Guide[1].doc
2008-03-24 16:25 . 2008-03-24 16:25 157 --a------ C:\SR###.sql
2008-03-24 16:12 . 2008-03-24 16:12 5,516 --a------ C:\UHHS_PAYECL_LDACCT_GEN_PKG.pkb
2008-03-24 13:55 . 2008-03-24 13:55 13,739,597 --a------ C:\VISIONWAREEXTRACTFILEUHHSp15-MAR-2008.pay03242008_1300
2008-03-24 13:43 . 2008-03-24 13:43 10,240 --a------ C:\dup_directors.xls
2008-03-24 08:15 . 2008-03-24 08:15 5,632 --a------ C:\022007RESUB.xls

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 03:49 186,548 ----a-w C:\uhinvstrata_creation_date.dat
2008-03-19 18:34 192,509 ----a-w C:\uhinvstrata.dat
2008-03-11 05:23 2,508 ----a-w C:\Run1.reg
2008-03-07 08:18 219,939 ----a-w C:\PO03062008.dat
2008-03-05 21:39 35,140 ----a-w C:\uhhs_adpper20080305090029.dat
2008-03-05 21:39 166,664 ----a-w C:\uhhs_adpper20080304220105.dat
2008-03-04 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-04 20:04 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-29 14:25 18,319 ----a-w C:\Documents and Settings\All Users\Application Data\diwyki.pif
2008-02-29 14:25 18,031 ----a-w C:\WINDOWS\awituzon.com
2008-02-29 14:25 16,798 ----a-w C:\Documents and Settings\All Users\Application Data\paju.reg
2008-02-29 14:25 16,516 ----a-w C:\Program Files\Common Files\ujygenoc.sys
2008-02-29 14:25 14,289 ----a-w C:\WINDOWS\onywacib.reg
2008-02-29 14:25 11,469 ----a-w C:\Documents and Settings\kcheruv1\Application Data\domima.reg
2008-02-29 14:25 10,656 ----a-w C:\WINDOWS\kijoh.bat
2008-02-29 14:25 10,213 ----a-w C:\Documents and Settings\kcheruv1\Application Data\wujy.reg
2008-01-31 20:16 4,858 ----a-w C:\UHPONREM.dat
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 20:04 127085]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54 229952]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"ACU"="C:\Program Files\Atheros\ACU\Utility\ACU.exe" [2005-11-28 09:13 303104]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-11-08 10:28 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-11-08 10:22 696320]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" [2004-09-23 12:41 860160]
"DSLAGENTEXE"="C:\Program Files\Huawei\MT882\dslagent.exe" [2003-10-31 05:56 65536]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoToolbarCustomize"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-191044553-1107890727-1469997231-62501\Scripts\Logon\0\0]
"Script"=\\uhsmsdst3\logon\ENT_user.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rxe52.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

*Newly Created Service* - SNABASE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 10:14:35
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ccmsetup]
"ImagePath"="\"C:\WINDOWS\system32\ccmsetup\ccmsetup.exe\" /runservice /config:MobileClient.tcf"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\CSGina.dll
-> C:\WINDOWS\System32\VPNAPI.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\orant\BIN\ifsrv60.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\cclient.exe
C:\orant\BIN\ifweb60.EXE
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Omnipod\POD\omnipod.exe
.
**************************************************************************
.
Completion time: 2008-04-24 10:18:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 14:18:54

Pre-Run: 33,041,825,792 bytes free
Post-Run: 33,104,351,232 bytes free

293

#4 spyware_victim

spyware_victim
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 24 April 2008 - 04:10 PM

Now I have few more issues. When right button and try to "open in new window" not working, it is opening in the current window only.
There is no sound control on the quick launch and from the control panel ==> sounds and Audio Device properties it gives me NO AUDIO Device.
Till last night there was no issue with sound.

And many more look and feel changes happened.

Please help

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:05 PM

Posted 24 April 2008 - 07:20 PM

Let's be sure that we get rid of all your malware and then we'll come back and deal with these other issues that are probably not malware related.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\hsrqlcr.bmp
C:\Documents and Settings\kcheruv1\cftmon.exe
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


===============



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


And if I may make a suggestion. You might want to keep your documents in a separate folder instead of the storing them all in the root directory.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:05 PM

Posted 19 May 2008 - 07:55 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users