Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sysnotifier.exe + XPShield +HiJackThisLog


  • This topic is locked This topic is locked
12 replies to this topic

#1 XViper

XViper

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 30 October 2008 - 01:26 AM

Hi guys,

I guess a quick intro is in order.
Pretty big fan of this place, despite the fact I've only just made an account and this is my first post. You have indirectly helped me solve many problems.
I work in IT, and have dealt with my fair share of viruses and malware. I take a small amount of pride in never having to actually make a post such as this, but right now I'm just stumped!

Ok, so onto the details.

Below is a computer of a colleague I am trying to assist.
He was initially infected with far more things than remain now, however everything seems to be gone except for this reoccuring sysnotifier.exe which causes popups such as

"SysGuard Tracking Process Found
Malicious code found at 0x17DA839A
Data Interception cannot be stopped"

"Your computer might be at risk
System Appears to Hang
Internal System Errors are found
Click ok to fix this problem"

"Services.exe has stopped working"
A problem caused the program to stop working correctly.
Click ok to fix the problem"

and some others.
When you click OK, attempt to close, or even end the application task via task manager, it attempts to go to a XPShield website and automatically tries to download the fake anti-virus software. (XPShield is not installed, the only thing remaining seems to be this thing that tries to get the user to download it again). Also worth noting, that I can't seem to locate a process that I can kill to make the popup go away. They used to appear in the form of tray popups that sysnotifier.exe ran (but I fixed that much). These are actual windows that popup.

Now the interesting bit.
SAV Corporate 10.1 is running on this system. It detects sysnotifier.exe as being in C:\Windows\ when the popups occur.
SAV reports it as an XPShield file, but cannot remove it (access denied). However sysnotifier does not appear to be running as a process, nor does it even appear in C:\Windows\ when I check. Seems to disappear as quickly as it reappears, to cause the popups described above.

Things I have run are: (regular boot and Safe Mode)
Symantec Anti-Virus 10.1
Malwarebytes Anti-Malware (this is still installed)
Smitfraudfix
Vundofix
ATF? (one that cleans temp files)
I held off from playing around with Combofix for the moment.

Let me know what you need, and I'll get it for you.
Below is the most recent HiJackThis log.

Thanks in advance for any assistance.
Please note: My access to this machine is restricted to limited time during work hours, but I'll act on any advice you give ASAP.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:24:20, on 2008-10-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DWRCS.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.unisa.edu.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unisa.edu.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by University of South Australia
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 130.220.*;*.unisa.edu.au;<local>
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.unisa.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = UniNet.unisa.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = UniNet.unisa.edu.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = UniNet.unisa.edu.au
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5779 bytes

Edited by XViper, 30 October 2008 - 01:30 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:28 PM

Posted 31 October 2008 - 03:01 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I'm up for a challenge right now.

First let's get a more detailed log so we can determine the best plan of attack for you.
  • Please download OTViewIt by OldTimer to your desktop.
  • Double click on the OTViewIt.exe icon on your desktop.
  • Check the Scan All Users checkbox and leave Use Whitelist checked. Set the File Age to 30 days.
  • Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Copy and Paste the logs into your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 XViper

XViper
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 02 November 2008 - 06:23 PM

Hi Sam,

Thanks heaps for your help :thumbsup:

Below are the contents of both log files created. Have also added as attachments.

OTViewIt logfile created on: 2008-11-03 09:48:40 - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\kumars\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: yyyy-MM-dd

1007.30 Mb Total Physical Memory | 378.24 Mb Available Physical Memory | 37.55% Memory free
2.37 Gb Paging File | 1.88 Gb Available in Paging File | 79.27% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.26 Gb Total Space | 16.99 Gb Free Space | 58.05% Space Free | Partition Type: FAT32
Drive D: | 45.25 Gb Total Space | 45.00 Gb Free Space | 99.45% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 465.76 Gb Total Space | 36.91 Gb Free Space | 7.92% Space Free | Partition Type: NTFS

Computer Name: IWR229152
Current User Name: kumars
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2006-11-21 17:38:40 | 00,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[2006-11-21 17:38:32 | 00,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[2007-01-10 16:27:38 | 01,160,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
[2007-03-14 19:48:40 | 00,031,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
[2007-09-21 18:03:42 | 00,224,768 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\system32\DWRCS.exe
[2007-03-14 19:48:56 | 00,116,416 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
[2007-03-14 19:48:50 | 01,816,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
[2004-09-22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe
[2007-09-19 15:55:02 | 00,073,728 | ---- | M] (DameWare Development) -- C:\WINDOWS\system32\DWRCST.exe
[2004-11-02 09:03:44 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
[2004-11-02 08:59:42 | 00,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2004-07-05 19:35:00 | 02,550,272 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
[2005-05-12 15:15:14 | 00,102,400 | R--- | M] () -- C:\WINDOWS\ATK0100\HControl.exe
[2004-11-05 23:59:00 | 00,073,728 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
[2002-12-10 10:49:20 | 00,188,416 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
[2006-11-21 17:38:28 | 00,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[2007-03-14 19:49:02 | 00,125,632 | ---- | M] (Symantec Corporation) -- C:\PROGRA~1\SYMANT~1\VPTray.exe
[2008-04-14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2008-04-23 17:45:34 | 22,058,792 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
[2005-05-10 10:12:22 | 01,953,792 | R--- | M] () -- C:\WINDOWS\ATK0100\ATKOSD.exe
[2008-04-23 17:45:36 | 00,076,744 | R--- | M] (Skype Technologies) -- C:\Program Files\Skype\Plugin Manager\skypePM.exe
[2008-04-23 15:09:50 | 00,199,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
[2008-07-03 18:36:56 | 12,313,096 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
[2008-08-23 16:26:16 | 00,635,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2006-05-16 22:15:10 | 00,071,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
[2008-11-03 09:44:46 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kumars\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007-04-13 03:20:52 | 00,033,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2006-11-21 17:38:32 | 00,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
[2006-11-21 17:38:40 | 00,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
[2007-04-13 03:21:18 | 00,068,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2007-03-14 19:48:40 | 00,031,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
[2007-09-21 18:03:42 | 00,224,768 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\system32\DWRCS.exe -- (DWMRCS [Auto | Running])
[2006-09-02 16:36:34 | 02,528,960 | ---- | M] (Symantec Corporation) -- C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE -- (LiveUpdate [On_Demand | Stopped])
[2003-07-28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007-03-14 19:48:56 | 00,116,416 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [Auto | Running])
[2007-02-12 17:23:10 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
[2007-01-10 16:27:38 | 01,160,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [Auto | Running])
[2007-03-14 19:48:50 | 01,816,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
[2004-09-22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [Auto | Running])

========== Driver Services ==========

[2004-11-05 23:59:00 | 02,284,864 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
[2007-02-08 13:00:00 | 00,002,944 | ---- | M] (DameWare Development, Inc.) -- C:\WINDOWS\system32\DRIVERS\DamewareMini.sys -- (DwMirror [On_Demand | Running])
[2007-02-16 13:00:00 | 00,026,624 | ---- | M] (DameWare) -- C:\WINDOWS\system32\DRIVERS\dwvkbd.sys -- (dwvkbd [System | Running])
[2008-10-15 14:45:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
[2008-10-30 09:57:48 | 00,099,376 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
[2008-04-13 22:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Stopped])
[2004-09-03 00:49:00 | 00,200,064 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys -- (HSFHWICH [On_Demand | Running])
[2004-09-03 00:49:00 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
[2004-11-02 09:27:20 | 00,773,565 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
[2004-03-12 14:40:28 | 00,032,640 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS -- (IFXTPM [On_Demand | Stopped])
[2004-07-06 18:29:00 | 02,185,408 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Stopped])
[2004-09-03 00:49:00 | 00,013,059 | ---- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2005-02-17 23:07:48 | 00,005,632 | R--- | M] () -- C:\WINDOWS\system32\DRIVERS\ATKACPI.sys -- (MTsensor [On_Demand | Running])
[2008-10-15 14:45:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081028.004\naveng.sys -- (NAVENG [On_Demand | Running])
[2008-10-15 14:45:00 | 00,873,552 | ---- | M] (Symantec Corporation) -- C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081028.004\navex15.sys -- (NAVEX15 [On_Demand | Running])
[2002-08-29 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
[2004-08-03 22:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Running])
[2006-09-06 14:41:20 | 00,337,592 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
[2006-09-06 14:41:20 | 00,054,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
[2007-11-13 20:55:54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2003-03-25 17:50:46 | 00,004,096 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\WINDOWS\system32\DRIVERS\siside.sys -- (SiSide [Disabled | Stopped])
[2007-01-10 16:27:26 | 00,390,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [System | Running])
[2008-10-29 11:04:40 | 00,110,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2007-02-12 17:22:36 | 00,024,720 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
[2007-02-12 17:22:40 | 00,196,752 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
[2004-10-29 18:48:08 | 03,222,784 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\DRIVERS\w29n51.sys -- (w29n51 [On_Demand | Stopped])
[2004-09-03 00:49:00 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
[2004-06-16 07:14:00 | 00,180,480 | ---- | M] (Marvell) -- C:\WINDOWS\System32\DRIVERS\yk51x86.sys -- (yukonwxp [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=C:\windows\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Secondary Start Pages"=
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.unisa.edu.au
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.unisa.edu.au

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 1
"ProxyOverride" = 130.220.*;*.unisa.edu.au;<local>

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1818349276-1015700856-800089250-71915\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.unisa.edu.au
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.unisa.edu.au

[HKEY_USERS\S-1-5-21-1818349276-1015700856-800089250-71915\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1818349276-1015700856-800089250-71915\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 1
"ProxyOverride" = 130.220.*;*.unisa.edu.au;<local>

========== (O1) Hosts File ==========

HOSTS File = (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB} (HKLM) -- C:\Program Files\Windows Media Player\Skins\biosamin.dll ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcWzrd"=ALCWZRD.EXE (RealTek Semicoductor Corp.)
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
"HControl"=C:\WINDOWS\ATK0100\HControl.exe ()
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe (HP)
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"SoundMan"=SOUNDMAN.EXE (Realtek Semiconductor Corp.)
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (Skype Technologies S.A.)

[HKEY_USERS\S-1-5-21-1818349276-1015700856-800089250-71915\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (Skype Technologies S.A.)

========== (O4) RunOnce Keys ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientAXDisabler"=cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (Microsoft Corporation)
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientAXDisabler"=cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (Microsoft Corporation)
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (Microsoft Corporation)

========== (O4) Startup Folders ==========

[2005-09-24 16:35:26 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=227
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"HideStartupScripts"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1818349276-1015700856-800089250-71915\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [2008-08-04 16:12:50 | 10,354,176 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [2008-08-04 16:12:50 | 10,354,176 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1818349276-1015700856-800089250-71915\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{77BF5300-1474-4EC7-9980-D32B190E9B07}: Button: Skype -- %ProgramFiles%\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-04-23 17:45:36 | 01,377,576 | ---- | M] (Skype Technologies S.A.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [2007-04-19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008-04-14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008-04-14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Research] -> [2007-04-19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008-04-14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Research] -> [2007-04-19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008-04-14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Research] -> [2007-04-19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008-04-14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1818349276-1015700856-800089250-71915\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Research] -> [2007-04-19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008-04-14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}: http://office.microsoft.com/officeupdate/content/opuc.cab -- Office Update Installation Engine
DirectAnimation Java Classes: file://C:\WINDOWS\Java\classes\dajava.cab -- Reg Error: Key does not exist or could not be opened.
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{1EAD4001-ADB9-4A4C-896A-3C6D2ECB34C8} (Servers: | Description: Intel® PRO/Wireless 2200BG Network Connection)
{9F6AB038-EC18-42D0-9011-810D4334C175} (Servers: | Description: 1394 Net Adapter)
{FE6BB1BD-C8A0-41A6-AAA5-6C8B987D6060} (Servers: | Description: Realtek RTL8139 Family PCI Fast Ethernet NIC)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
biosamin: "DllName" = C:\Program Files\Windows Media Player\Skins\biosamin.dll -- C:\Program Files\Windows Media Player\Skins\biosamin.dll ()
igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
NavLogon: "DllName" = C:\WINDOWS\system32\NavLogon.dll -- C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2004-11-10 11:58:14 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ FAT32 ]

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2008-11-03 09:48:26 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\kumars\Desktop\OTViewIt.exe
[2008-10-31 17:16:10 | 00,821,761 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Biomaterials-ElastomericProteins-2008.pdf
[2008-10-31 17:12:45 | 00,429,401 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Biomaterials-Metallic-2008.pdf
[2008-10-31 17:10:13 | 00,875,678 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Biomaterials-PeptideBased-Interfacial-2008.pdf
[2008-10-31 16:37:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\kumars\My Documents\ASBTE-TravelAwards2009
[2008-10-31 10:49:21 | 00,049,152 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\IWRI PUBLICATIONS 2008-311008.xls
[2008-10-30 16:25:38 | 00,001,716 | -H-- | C] () -- C:\Documents and Settings\kumars\My Documents\Default.rdp
[2008-10-30 13:00:39 | 00,001,916 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2008-10-30 12:24:32 | 00,001,638 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\HijackThis.lnk
[2008-10-30 12:24:32 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008-10-29 18:06:00 | 00,049,152 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\IWRI PUBLICATIONS 2008.xls
[2008-10-29 11:04:20 | 00,110,952 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2008-10-29 11:04:20 | 00,048,768 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2008-10-29 11:04:20 | 00,008,014 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2008-10-29 11:04:20 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2008-10-29 11:03:05 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec AntiVirus
[2008-10-29 10:44:19 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2008-10-29 10:42:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2008-10-29 10:33:05 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2008-10-29 10:33:05 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2008-10-29 10:33:05 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2008-10-29 10:33:05 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2008-10-29 10:33:05 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2008-10-29 10:33:05 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2008-10-29 10:33:05 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2008-10-29 10:33:05 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2008-10-29 10:33:05 | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2008-10-29 10:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2008-10-29 10:32:48 | 00,000,000 | ---D | C] -- C:\Qoobox
[2008-10-29 10:24:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\kumars\Application Data\Malwarebytes
[2008-10-29 10:23:37 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008-10-29 10:23:37 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008-10-29 10:23:35 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008-10-29 10:23:34 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008-10-29 10:23:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008-10-29 10:22:24 | 00,000,000 | ---D | C] -- C:\Virus Removal Tools
[2008-10-28 17:25:20 | 00,036,352 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Naba_Namita_Sunil_mod_Theme 3A (3).doc
[2008-10-28 16:36:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2008-10-28 12:50:31 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Abstract-ASBTE Conference Sydney 2009.doc
[2008-10-27 16:03:48 | 00,049,548 | ---- | C] () -- C:\WINDOWS\System32\vhcsutao.dll
[2008-10-27 15:40:34 | 00,000,121 | -HS- | C] () -- C:\WINDOWS\System32\xweveiwf.ini
[2008-10-27 15:21:32 | 00,691,145 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Cloud-SCT-14684.pdf
[2008-10-27 15:04:26 | 00,058,880 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Publications-IWRI-2008-InPress.doc
[2008-10-27 13:41:41 | 00,000,121 | -HS- | C] () -- C:\WINDOWS\System32\nvqxrfmn.ini
[2008-10-24 16:28:40 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Ref-Gen.doc
[2008-10-24 10:24:43 | 00,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2008-10-22 15:41:07 | 01,024,372 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\HA-SBF-GrowthKinetics-NiTI-2006.pdf
[2008-10-22 15:34:17 | 00,448,875 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\HA-SBF-GrowthKinetics-2003.pdf
[2008-10-21 15:02:09 | 00,048,128 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Publications-InternalProforma.doc
[2008-10-20 17:32:20 | 00,041,984 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\TS3 Biosurfaces-2009-SecondPreference.xls
[2008-10-20 17:13:43 | 00,041,984 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\TS3 Biosurfaces-2009-FirstPreference.xls
[2008-10-20 10:58:21 | 01,448,260 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\BloodContactMaterials-Review-2007.pdf
[2008-10-20 10:53:16 | 01,545,072 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\InflammatoryResponse-Reduction-Fibrinogen-2008.pdf
[2008-10-17 10:53:57 | 00,162,843 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Microarrays-Death-NatureNews-15102008.pdf
[2008-10-16 16:32:29 | 00,011,274 | ---- | C] () -- C:\Documents and Settings\kumars\My Documents\AluminaScaffolds.enl
[2008-10-16 16:32:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\kumars\My Documents\AluminaScaffolds.Data
[2008-10-16 16:25:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\kumars\Application Data\EndNote
[2008-10-16 16:25:00 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Risxtd
[2008-10-16 16:24:58 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Thomson ResearchSoft
[2008-10-16 16:24:14 | 00,000,000 | ---D | C] -- C:\Program Files\EndNote X1
[2008-10-16 16:24:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\EndNote
[2008-10-16 09:52:30 | 02,746,157 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Silica-Nanoparticles-Bioconjugation-2008.pdf
[2008-10-15 17:53:19 | 01,334,784 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\AluminaScaffolds-Manuscript2008.doc
[2008-10-15 17:45:06 | 00,959,085 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Vascular grafts-SelfEndothelial-2008.pdf
[2008-10-15 09:36:12 | 00,333,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2008-10-15 09:36:01 | 01,846,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2008-10-15 09:35:58 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008-10-15 09:35:57 | 02,189,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008-10-15 09:35:56 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008-10-15 09:35:55 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008-10-14 17:58:31 | 00,148,480 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\AppliedSurfaceScience-Cover Letter.doc
[2008-10-14 17:44:50 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\AppliedSurfaceScience-Referees List.doc
[2008-10-13 15:28:59 | 01,185,307 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Cells-MSCs-ModulusDependence-Discher2006.pdf
[2008-10-13 09:46:05 | 00,205,657 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\PlasmaTreatment-PLA-Agarwal-2008.pdf
[2008-10-10 17:49:50 | 00,785,214 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\HA-Electrical-2008.pdf
[2008-10-10 11:33:14 | 00,207,669 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Kim-IEEE-2006.pdf
[2008-10-10 11:14:32 | 00,482,529 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Plasma-Nanopatterning-dAgostino-2006.pdf
[2008-10-10 11:09:25 | 00,618,533 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\PlamsaProcessing-Nanobiotech-2008-Rossi.pdf
[2008-10-10 11:03:36 | 00,491,932 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\Plasma-FuntionalGroups-Rossi-2006.pdf
[2008-10-09 17:02:48 | 00,593,224 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\DLC-AminoFunctional-2008.pdf
[2008-10-09 12:40:10 | 02,260,025 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\ProteinAdsorption-Fibrinogen-AFM-2001.pdf
[2008-10-09 12:37:30 | 00,338,161 | ---- | C] () -- C:\Documents and Settings\kumars\Desktop\ProteinAdsorption-Fibrinogen-AFM-2000.pdf

========== Files - Modified Within 30 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2008-11-03 09:44:46 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kumars\Desktop\OTViewIt.exe
[2008-11-03 09:06:16 | 61,153,3824 | ---- | M] () -- C:\Documents and Settings\kumars\My Documents\Personal Folder.pst
[2008-11-03 09:03:44 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008-11-03 09:03:36 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008-11-03 09:03:32 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008-10-31 17:16:12 | 00,821,761 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Biomaterials-ElastomericProteins-2008.pdf
[2008-10-31 17:12:46 | 00,429,401 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Biomaterials-Metallic-2008.pdf
[2008-10-31 17:10:14 | 00,875,678 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Biomaterials-PeptideBased-Interfacial-2008.pdf
[2008-10-31 12:55:12 | 00,049,152 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\IWRI PUBLICATIONS 2008.xls
[2008-10-31 12:54:58 | 00,049,152 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\IWRI PUBLICATIONS 2008-311008.xls
[2008-10-30 18:08:32 | 00,058,880 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Publications-IWRI-2008-InPress.doc
[2008-10-30 16:27:34 | 00,001,716 | -H-- | M] () -- C:\Documents and Settings\kumars\My Documents\Default.rdp
[2008-10-30 13:05:00 | 00,001,916 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2008-10-30 12:24:34 | 00,001,638 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\HijackThis.lnk
[2008-10-29 16:02:30 | 00,028,160 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Abstract-ASBTE Conference Sydney 2009.doc
[2008-10-29 11:04:40 | 00,110,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2008-10-29 11:04:40 | 00,048,768 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2008-10-29 11:04:40 | 00,008,014 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2008-10-29 11:04:40 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2008-10-29 10:41:06 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2008-10-29 10:23:38 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008-10-28 17:36:40 | 00,036,352 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Naba_Namita_Sunil_mod_Theme 3A (3).doc
[2008-10-28 16:36:34 | 00,000,000 | ---- | M] () -- C:\WINDOWS\VPC32.INI
[2008-10-27 16:03:50 | 00,049,548 | ---- | M] () -- C:\WINDOWS\System32\vhcsutao.dll
[2008-10-27 15:40:38 | 00,000,121 | -HS- | M] () -- C:\WINDOWS\System32\xweveiwf.ini
[2008-10-27 15:21:34 | 00,691,145 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Cloud-SCT-14684.pdf
[2008-10-27 14:25:48 | 00,000,121 | -HS- | M] () -- C:\WINDOWS\System32\nvqxrfmn.ini
[2008-10-24 17:25:54 | 00,032,256 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\List of Items Lent.doc
[2008-10-24 16:28:42 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Ref-Gen.doc
[2008-10-22 16:27:34 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008-10-22 16:27:26 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008-10-22 15:41:08 | 01,024,372 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\HA-SBF-GrowthKinetics-NiTI-2006.pdf
[2008-10-22 15:34:18 | 00,448,875 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\HA-SBF-GrowthKinetics-2003.pdf
[2008-10-21 15:02:12 | 00,048,128 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Publications-InternalProforma.doc
[2008-10-20 18:31:10 | 00,041,984 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\TS3 Biosurfaces-2009-SecondPreference.xls
[2008-10-20 18:29:42 | 00,041,984 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\TS3 Biosurfaces-2009-FirstPreference.xls
[2008-10-20 10:58:22 | 01,448,260 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\BloodContactMaterials-Review-2007.pdf
[2008-10-20 10:53:18 | 01,545,072 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\InflammatoryResponse-Reduction-Fibrinogen-2008.pdf
[2008-10-17 10:53:58 | 00,162,843 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Microarrays-Death-NatureNews-15102008.pdf
[2008-10-16 17:59:58 | 01,334,784 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\AluminaScaffolds-Manuscript2008.doc
[2008-10-16 16:50:08 | 00,011,274 | ---- | M] () -- C:\Documents and Settings\kumars\My Documents\AluminaScaffolds.enl
[2008-10-16 09:52:32 | 02,746,157 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Silica-Nanoparticles-Bioconjugation-2008.pdf
[2008-10-16 09:24:44 | 00,472,476 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008-10-16 09:24:44 | 00,404,302 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008-10-16 09:24:44 | 00,063,522 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008-10-16 09:20:14 | 00,209,696 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008-10-16 03:04:24 | 00,337,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\netapi32.dll
[2008-10-16 03:04:24 | 00,337,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2008-10-15 18:20:50 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2008-10-15 18:19:30 | 00,000,583 | ---- | M] () -- C:\WINDOWS\win.ini
[2008-10-15 17:45:08 | 00,959,085 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Vascular grafts-SelfEndothelial-2008.pdf
[2008-10-14 17:59:32 | 00,148,480 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\AppliedSurfaceScience-Cover Letter.doc
[2008-10-14 17:46:04 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\AppliedSurfaceScience-Referees List.doc
[2008-10-14 17:11:26 | 00,657,408 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\ApplSurfSci-Manuscript-Final-141008.doc
[2008-10-13 15:29:00 | 01,185,307 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Cells-MSCs-ModulusDependence-Discher2006.pdf
[2008-10-13 09:46:06 | 00,205,657 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\PlasmaTreatment-PLA-Agarwal-2008.pdf
[2008-10-10 17:49:52 | 00,785,214 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\HA-Electrical-2008.pdf
[2008-10-10 11:33:16 | 00,207,669 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Kim-IEEE-2006.pdf
[2008-10-10 11:14:34 | 00,482,529 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Plasma-Nanopatterning-dAgostino-2006.pdf
[2008-10-10 11:09:26 | 00,618,533 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\PlamsaProcessing-Nanobiotech-2008-Rossi.pdf
[2008-10-10 11:03:38 | 00,491,932 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\Plasma-FuntionalGroups-Rossi-2006.pdf
[2008-10-09 17:02:50 | 00,593,224 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\DLC-AminoFunctional-2008.pdf
[2008-10-09 12:40:12 | 02,260,025 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\ProteinAdsorption-Fibrinogen-AFM-2001.pdf
[2008-10-09 12:37:32 | 00,338,161 | ---- | M] () -- C:\Documents and Settings\kumars\Desktop\ProteinAdsorption-Fibrinogen-AFM-2000.pdf
< End of report >


OTViewIt Extras logfile created on: 2008-11-03 09:48:40 - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\kumars\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: yyyy-MM-dd

1007.30 Mb Total Physical Memory | 378.24 Mb Available Physical Memory | 37.55% Memory free
2.37 Gb Paging File | 1.88 Gb Available in Paging File | 79.27% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.26 Gb Total Space | 16.99 Gb Free Space | 58.05% Space Free | Partition Type: FAT32
Drive D: | 45.25 Gb Total Space | 45.00 Gb Free Space | 99.45% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 465.76 Gb Total Space | 36.91 Gb Free Space | 7.92% Space Free | Partition Type: NTFS

Computer Name: IWR229152
Current User Name: kumars
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0x00000000
"FirewallDisableNotify"=0x00000000
"UpdatesDisableNotify"=0x00000000
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008-04-14 05:42:36 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008-04-14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008-04-23 17:45:34 | 22,058,792 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008-04-14 05:42:36 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008-04-14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger
[2008-04-14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008-04-23 17:45:34 | 22,058,792 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2005-09-20 12:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2005-09-20 12:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2005-09-20 12:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2000-04-19 18:47:36 | 00,520,117 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007-03-14 13:10:22 | 07,255,384 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007-05-10 13:45:34 | 08,069,464 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008-04-23 17:45:34 | 01,942,864 | R--- | M] (Skype Technologies) C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} (HKLM) [IEProtocolHandler Class])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2007-04-19 13:57:40 | 00,046,432 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1DC6563E-181C-4A28-AE7C-6256C3268511}"=DameWare Mini Remote Control Client Agent Service
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}"=Microsoft Windows Journal Viewer
"{50E125D1-88E5-48CE-80AE-98EC9698E639}"=Symantec AntiVirus
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}"=Skype™ 3.8
"{6341ED62-B92F-4BDB-AAAF-99B305384275}"=Technology One Crystal Report Viewer
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}"=EndNote X1
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel® Graphics Media Accelerator Driver for Mobile
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}"=Compatibility Pack for the 2007 Office system
"{AC76BA86-7AD7-1033-7B44-A70000000000}"=Adobe Reader 7.0.8
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}"=HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_18261043"=SoftV92 Data Fax Modem with SmartCP
"HControl"=ATK0100 ACPI UTILITY
"HijackThis"=HijackThis 2.0.2
"hp deskjet 5550 series"=hp deskjet 5550 series (Remove only)
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"ISI ResearchSoft - Export Helper"=ISI ResearchSoft - Export Helper
"LiveUpdate"=LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows Media Player"=Windows Media Player 10
"Windows XP Service Pack"=Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2008-10-30 03:59:37 | Computer Name = IWR229152 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: XPShield in File: C:\WINDOWS\SysNotifier.exe by:
Auto-Protect scan. Action: Access denied. Action Description:

Error - 2008-10-30 03:59:37 | Computer Name = IWR229152 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: XPShield in File: C:\WINDOWS\SysNotifier.exe
by: Auto-Protect scan. Action: Access denied. Action Description:

Error - 2008-10-30 04:37:15 | Computer Name = IWR229152 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 2008-10-30 06:41:41 | Computer Name = IWR229152 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 2008-10-30 14:41:42 | Computer Name = IWR229152 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 2008-10-30 23:03:14 | Computer Name = IWR229152 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16735, faulting
module mshtml.dll, version 7.0.6000.16735, fault address 0x0004d478.

Error - 2008-10-31 03:15:27 | Computer Name = IWR229152 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8217.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2008-11-02 18:56:12 | Computer Name = IWR229152 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: XPShield in File: C:\WINDOWS\SysNotifier.exe by:
Auto-Protect scan. Action: Pending Side Effects Analysis : Access denied. Action
Description:

Error - 2008-11-02 18:56:23 | Computer Name = IWR229152 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: XPShield in File: C:\WINDOWS\SysNotifier.exe
by: Auto-Protect scan. Action: Quarantine failed : Delete failed. Action Description:
The file was left unchanged.

Error - 2008-11-02 18:56:23 | Computer Name = IWR229152 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: XPShield in File: C:\WINDOWS\SysNotifier.exe by:
Auto-Protect scan. Action: Access denied. Action Description:

[ System Events ]
Error - 2008-10-29 22:36:03 | Computer Name = IWR229152 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2008-10-29 22:36:40 | Computer Name = IWR229152 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2008-10-29 22:40:36 | Computer Name = IWR229152 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2008-10-29 22:40:44 | Computer Name = IWR229152 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2008-10-29 22:41:41 | Computer Name = IWR229152 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain UNINET due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 2008-10-29 22:44:57 | Computer Name = IWR229152 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 2008-10-29 22:46:34 | Computer Name = IWR229152 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain UNINET due to the following:
%%1722. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 2008-10-29 22:46:53 | Computer Name = IWR229152 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 2008-10-29 22:49:57 | Computer Name = IWR229152 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 2008-10-31 02:15:08 | Computer Name = IWR229152 | Source = Service Control Manager | ID = 7031
Description = The Symantec AntiVirus service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 10000 milliseconds:
Restart the service.


< End of report >

Attached Files


Edited by XViper, 02 November 2008 - 06:24 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:28 PM

Posted 02 November 2008 - 06:37 PM

Please visit the online Jotti Virus Scanner
  • Click on Posted Image button.
  • Copy and paste the following filepath in the box:


    C:\WINDOWS\System32\vhcsutao.dll


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

Also submit these files:

C:\WINDOWS\System32\xweveiwf.ini
C:\WINDOWS\System32\nvqxrfmn.ini


If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html


=================


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 XViper

XViper
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 02 November 2008 - 08:07 PM

Hi Sam,

Thanks for that. Looks like you're onto something.

Almost wanted to go and delete those 3 files immediately (after getting the below results), but thought I'd best follow your instructions to the letter, and wait for your order. :thumbsup:

It bothers me that files 2 & 3 are only detected by 1 of 20 AV scanners!

File: vhcsutao.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 5efb5976c5e92fef2e0b4ca0855055e0
Packers detected: -

Scanner results
Scan taken on 03 Nov 2008 00:37:56 (GMT)
A-Squared Found Trojan.Win32.Monder!IK
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:VunDrop
AVG Antivirus Found Generic10.AIEO
BitDefender Found Trojan.Generic.290979
ClamAV Found Trojan.Vundo-3536
CPsecure Found AdWare.W32.Virtumonde.he
Dr.Web Found Trojan.Virtumod.based.11
F-Prot Antivirus Found W32/Trojan2.ASZP
F-Secure Anti-Virus Found Trojan.Win32.Monder.gen
G DATA Found nothing
Ikarus Found Trojan.Win32.Monder
Kaspersky Anti-Virus Found Trojan.Win32.Monder.gen
NOD32 Found Win32/TrojanDownloader.Agent.NZG
Norman Virus Control Found W32/Virtumonde.VWG
Panda Antivirus Found Malicious
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found Trojan.Win32.Monder.gen

----------------

File: xweveiwf.ini
Status: INFECTED/MALWARE
MD5: 124ae1dca4b86af68a23ea9635863131
Packers detected: -

Scanner results
Scan taken on 03 Nov 2008 00:33:32 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found Vundo.FBW
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

--------------

File: nvqxrfmn.ini
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 124ae1dca4b86af68a23ea9635863131
Packers detected: -

Scanner results
Scan taken on 03 Nov 2008 00:36:01 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found Vundo.FBW
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


As for SDFix.

Also worth noting:
When SDFix did the restart, the virus popped up (the usual popups as described before the desktop even loaded; the same time the SDFix was doing its final scan).
After SDFix was completed, the desktop did not load. Had to run explorer.exe via Task Manager.

SDFix: Version 1.238
Run by Administrator on Mon 03/11/2008 at 11:21

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 11:26:30
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

Remaining Files :



Files with Hidden Attributes :

Thu 28 Sep 2006 640,512 ...H. --- "C:\Documents and Settings\kumars\Desktop\~WRL0002.tmp"

Finished!


I await your orders :)

Edited by XViper, 02 November 2008 - 08:08 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:28 PM

Posted 03 November 2008 - 07:48 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 XViper

XViper
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 03 November 2008 - 07:37 PM

Hi Sam,

Thanks again.

Have run Combofix.
FYI Problem still exists.
FYI 2: During Combofixes run, it closes things down. Amongst these was the 'popup' the virus continues to generate. When this happened it promptly opened the XPShield URL in an attempt to download itself again. Luckily I had removed the network cable prior, but reconnected for the recovery console download.

I don't think Combofix plays well with proxies, and the recovery console download did not go through.
However I manually downloaded it from here:
http://www.microsoft.com/downloads/details...;displaylang=en

When I run it, it goes on about asking me to insert 6 floppies etc. Who has a floppy drive these days? (Although I think I have a USB one lying around somewhere).
I have the required XP SP2 CD's to boot into recovery console, unless I'm missing something? Let me know what you want me to do.

Log below.

ComboFix 08-11-03.03 - kumars 2008-11-04 10:42:56.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.448 [GMT 10.5:30]
Running from: c:\documents and settings\kumars\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.

2008-11-03 11:21 . 2008-11-03 11:21 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-11-03 11:19 . 2008-11-03 11:19 <DIR> d-------- c:\windows\ERUNT
2008-11-03 10:59 . 2008-10-27 00:01 <DIR> d-------- C:\SDFix
2008-10-30 13:17 . 2004-11-10 15:09 <DIR> d---s---- c:\documents and settings\bottromv\UserData
2008-10-30 13:17 . 2008-10-30 13:17 <DIR> d-------- c:\documents and settings\bottromv
2008-10-30 13:00 . 2008-10-30 13:05 1,916 --a------ c:\windows\system32\tmp.reg
2008-10-30 12:24 . 2008-10-30 12:24 <DIR> d-------- c:\program files\Trend Micro
2008-10-29 11:15 . 2008-10-29 11:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-10-29 11:04 . 2008-10-29 11:04 110,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-29 11:04 . 2008-10-29 11:04 48,768 --a------ c:\windows\system32\S32EVNT1.DLL
2008-10-29 11:04 . 2008-10-29 11:04 8,014 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-29 11:04 . 2008-10-29 11:04 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-10-29 11:03 . 2008-10-29 11:03 <DIR> d-------- c:\program files\Symantec AntiVirus
2008-10-29 10:44 . 2008-10-29 10:44 <DIR> d-------- C:\VundoFix Backups
2008-10-29 10:24 . 2008-10-29 10:24 <DIR> d-------- c:\documents and settings\kumars\Application Data\Malwarebytes
2008-10-29 10:23 . 2008-10-29 10:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-29 10:23 . 2008-10-29 10:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-29 10:23 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-29 10:23 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-29 10:22 . 2008-10-29 10:22 <DIR> d-------- C:\Virus Removal Tools
2008-10-28 16:36 . 2008-10-28 16:36 0 --a------ c:\windows\VPC32.INI
2008-10-27 16:03 . 2008-10-27 16:03 49,548 --a------ c:\windows\system32\vhcsutao.dll
2008-10-27 15:40 . 2008-10-27 15:40 121 ---hs---- c:\windows\system32\xweveiwf.ini
2008-10-27 13:41 . 2008-10-27 14:25 121 ---hs---- c:\windows\system32\nvqxrfmn.ini
2008-10-24 10:24 . 2008-10-16 03:04 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-16 16:25 . 2008-10-16 16:25 <DIR> d-------- c:\program files\Common Files\Risxtd
2008-10-16 16:25 . 2008-10-16 16:25 <DIR> d-------- c:\documents and settings\kumars\Application Data\EndNote
2008-10-16 16:24 . 2008-10-16 16:24 <DIR> d-------- c:\program files\EndNote X1
2008-10-16 16:24 . 2008-10-16 16:25 <DIR> d-------- c:\program files\Common Files\Thomson ResearchSoft
2008-10-15 09:36 . 2008-09-15 22:42 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-15 09:36 . 2008-09-08 21:11 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-15 09:35 . 2008-08-14 20:41 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 09:35 . 2008-08-14 20:39 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 09:35 . 2008-08-14 20:03 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 09:35 . 2008-08-14 20:03 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-27 03:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-29_10.42.13.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 04:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-11-03 00:49:58 1,396,736 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-11-03 00:49:58 159,744 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 04:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-11-03 00:49:38 1,396,736 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-11-03 00:49:38 159,744 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-10-29 00:35:56 25,214 ----a-r c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\ARPPRODUCTICON.exe
+ 2008-10-29 00:35:56 40,960 ----a-r c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-10-29 00:35:56 40,960 ----a-r c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2004-08-13 01:05:04 28,723 ----a-r c:\windows\system32\cba.dll
+ 2007-03-14 09:20:54 34,552 ----a-w c:\windows\system32\cba.dll
+ 2007-02-08 02:30:00 28,800 ----a-w c:\windows\system32\DamewareDisp.dll
+ 2007-02-08 02:30:00 2,944 ----a-w c:\windows\system32\drivers\DamewareMini.sys
+ 2007-02-16 02:30:00 26,624 ----a-w c:\windows\system32\drivers\dwvkbd.sys
- 2004-12-23 08:49:08 11,504 ----a-w c:\windows\system32\drivers\symdns.sys
+ 2007-02-12 06:52:16 12,944 ----a-w c:\windows\system32\drivers\symdns.sys
- 2004-12-23 08:49:10 166,640 ----a-w c:\windows\system32\drivers\symfw.sys
+ 2007-02-12 06:52:20 110,736 ----a-w c:\windows\system32\drivers\symfw.sys
- 2004-12-23 08:49:14 47,024 ----a-w c:\windows\system32\drivers\symids.sys
+ 2007-02-12 06:52:30 31,888 ----a-w c:\windows\system32\drivers\symids.sys
- 2004-12-23 08:49:12 52,048 ----a-w c:\windows\system32\drivers\symndis.sys
+ 2007-02-12 06:52:26 28,304 ----a-w c:\windows\system32\drivers\symndis.sys
- 2004-12-23 08:49:16 16,784 ----a-w c:\windows\system32\drivers\symredrv.sys
+ 2007-02-12 06:52:36 24,720 ----a-w c:\windows\system32\drivers\symredrv.sys
- 2004-12-23 08:49:18 264,240 ----a-w c:\windows\system32\drivers\symtdi.sys
+ 2007-02-12 06:52:40 196,752 ----a-w c:\windows\system32\drivers\symtdi.sys
- 1998-03-04 01:17:18 77,824 ----a-r c:\windows\system32\loc32vc0.dll
+ 2007-03-14 09:20:56 83,648 ----a-w c:\windows\system32\loc32vc0.dll
+ 2003-03-18 11:50:00 1,060,864 ----a-w c:\windows\system32\mfc71.dll
+ 2003-03-18 11:14:36 40,960 ----a-w c:\windows\system32\MFC71CHS.DLL
+ 2003-03-18 11:14:36 45,056 ----a-w c:\windows\system32\MFC71CHT.DLL
+ 2003-03-18 11:14:34 65,536 ----a-w c:\windows\system32\MFC71DEU.DLL
+ 2003-03-18 11:14:38 57,344 ----a-w c:\windows\system32\MFC71ENU.DLL
+ 2003-03-18 11:14:36 61,440 ----a-w c:\windows\system32\MFC71ESP.DLL
+ 2003-03-18 11:14:34 61,440 ----a-w c:\windows\system32\MFC71FRA.DLL
+ 2003-03-18 11:14:36 61,440 ----a-w c:\windows\system32\MFC71ITA.DLL
+ 2003-03-18 11:14:34 49,152 ----a-w c:\windows\system32\MFC71JPN.DLL
+ 2003-03-18 11:14:38 49,152 ----a-w c:\windows\system32\MFC71KOR.DLL
+ 2003-03-18 11:42:12 1,047,552 ----a-w c:\windows\system32\mfc71u.dll
- 2004-08-13 01:05:04 41,017 ----a-r c:\windows\system32\msgsys.dll
+ 2007-03-14 09:20:56 46,848 ----a-w c:\windows\system32\msgsys.dll
- 2004-12-30 03:49:46 55,104 ----a-w c:\windows\system32\NavLogon.dll
+ 2007-03-14 09:19:14 43,712 ----a-w c:\windows\system32\NavLogon.dll
- 2004-08-13 01:05:04 77,875 ----a-r c:\windows\system32\nts.dll
+ 2007-03-14 09:20:58 91,896 ----a-w c:\windows\system32\nts.dll
- 2004-08-13 01:05:04 65,590 ----a-r c:\windows\system32\pds.dll
+ 2007-03-14 09:21:00 83,704 ----a-w c:\windows\system32\pds.dll
- 2004-12-23 08:49:22 509,648 ----a-w c:\windows\system32\SymNeti.dll
+ 2007-02-12 06:52:48 538,256 ----a-w c:\windows\system32\SymNeti.dll
- 2004-12-23 08:49:20 116,432 ----a-w c:\windows\system32\SymRedir.dll
+ 2007-02-12 06:52:46 161,424 ----a-w c:\windows\system32\SymRedir.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}]
2008-10-28 16:36 299008 --a------ c:\program files\Windows Media Player\Skins\biosamin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-23 22058792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"HControl"="c:\windows\ATK0100\HControl.exe" [2005-05-12 102400]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 c:\windows\ALCWZRD.EXE]
"SoundMan"="SOUNDMAN.EXE" [2004-11-05 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\biosamin]
2008-10-28 16:36 299008 c:\program files\Windows Media Player\Skins\biosamin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\DRIVERS\dwvkbd.sys [2007-02-16 26624]
R3 DwMirror;DwMirror;c:\windows\system32\DRIVERS\DamewareMini.sys [2007-02-08 2944]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2004-03-12 32640]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.unisa.edu.au
R1 -: HKCU-Internet Settings,ProxyServer = www-proxy:8080
R1 -: HKCU-Internet Settings,ProxyOverride = 130.220.*;*.unisa.edu.au;<local>

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 10:45:15
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\program files\Windows Media Player\Skins\biosamin.dll

PROCESS: c:\windows\explorer.exe
-> c:\program files\Windows Media Player\Skins\biosamin.dll
.
Completion time: 2008-11-04 10:46:24
ComboFix-quarantined-files.txt 2008-11-04 00:16:18
ComboFix2.txt 2008-10-29 00:12:52

Pre-Run: 18,030,608,384 bytes free
Post-Run: 18,072,600,576 bytes free

187 --- E O F --- 2008-10-24 07:16:03



#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:28 PM

Posted 04 November 2008 - 10:11 AM

Nah, don't worry about the floppies. That's for an XP Startup disk. As long as you have the CD's so you can use them if you need 'em.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\VundoFix Backups

File::
c:\windows\system32\vhcsutao.dll
c:\windows\system32\xweveiwf.ini
c:\windows\system32\nvqxrfmn.ini
c:\program files\Windows Media Player\Skins\biosamin.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\biosamin]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 XViper

XViper
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 05 November 2008 - 08:06 PM

Sorry about the delay. Was not at work yesterday.

All done.

Popups are not appearing anymore. Seems the remaining trace of this infection is gone. Or atleast seems to be.

FYI: ComboFix played around with the dates (as it states during its progress), but did not change them back. No big deal, was easily fixed, just thought it may be worth noting.

If you consider this to be resolved, I thank you immensely for your assistance. Was a learning experience :thumbsup:
If not, I'll continue to check this thread for further instructions.

ComboFix 08-11-03.03 - kumars 2008-11-06 11:07:20.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.550 [GMT 10.5:30]
Running from: c:\documents and settings\kumars\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kumars\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\program files\Windows Media Player\Skins\biosamin.dll
c:\windows\system32\nvqxrfmn.ini
c:\windows\system32\vhcsutao.dll
c:\windows\system32\xweveiwf.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows Media Player\Skins\biosamin.dll
C:\VundoFix Backups
c:\windows\system32\nvqxrfmn.ini
c:\windows\system32\vhcsutao.dll
c:\windows\system32\xweveiwf.ini

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-03 11:21 . 2008-11-03 11:21 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-11-03 11:19 . 2008-11-03 11:19 <DIR> d-------- c:\windows\ERUNT
2008-11-03 10:59 . 2008-10-27 00:01 <DIR> d-------- C:\SDFix
2008-10-30 13:17 . 2004-11-10 15:09 <DIR> d---s---- c:\documents and settings\bottromv\UserData
2008-10-30 13:17 . 2008-10-30 13:17 <DIR> d-------- c:\documents and settings\bottromv
2008-10-30 13:00 . 2008-10-30 13:05 1,916 --a------ c:\windows\system32\tmp.reg
2008-10-30 12:24 . 2008-10-30 12:24 <DIR> d-------- c:\program files\Trend Micro
2008-10-29 11:15 . 2008-10-29 11:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-10-29 11:04 . 2008-10-29 11:04 110,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-29 11:04 . 2008-10-29 11:04 48,768 --a------ c:\windows\system32\S32EVNT1.DLL
2008-10-29 11:04 . 2008-10-29 11:04 8,014 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-29 11:04 . 2008-10-29 11:04 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-10-29 11:03 . 2008-10-29 11:03 <DIR> d-------- c:\program files\Symantec AntiVirus
2008-10-29 10:24 . 2008-10-29 10:24 <DIR> d-------- c:\documents and settings\kumars\Application Data\Malwarebytes
2008-10-29 10:23 . 2008-10-29 10:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-29 10:23 . 2008-10-29 10:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-29 10:23 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-29 10:23 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-29 10:22 . 2008-10-29 10:22 <DIR> d-------- C:\Virus Removal Tools
2008-10-28 16:36 . 2008-10-28 16:36 0 --a------ c:\windows\VPC32.INI
2008-10-24 10:24 . 2008-10-16 03:04 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-16 16:25 . 2008-10-16 16:25 <DIR> d-------- c:\program files\Common Files\Risxtd
2008-10-16 16:25 . 2008-10-16 16:25 <DIR> d-------- c:\documents and settings\kumars\Application Data\EndNote
2008-10-16 16:24 . 2008-10-16 16:24 <DIR> d-------- c:\program files\EndNote X1
2008-10-16 16:24 . 2008-10-16 16:25 <DIR> d-------- c:\program files\Common Files\Thomson ResearchSoft
2008-10-15 09:36 . 2008-09-15 22:42 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-15 09:36 . 2008-09-08 21:11 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-15 09:35 . 2008-08-14 20:41 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 09:35 . 2008-08-14 20:39 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 09:35 . 2008-08-14 20:03 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 09:35 . 2008-08-14 20:03 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-27 03:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-23 22058792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"HControl"="c:\windows\ATK0100\HControl.exe" [2005-05-12 102400]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 c:\windows\ALCWZRD.EXE]
"SoundMan"="SOUNDMAN.EXE" [2004-11-05 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\DRIVERS\dwvkbd.sys [2007-02-16 26624]
R3 DwMirror;DwMirror;c:\windows\system32\DRIVERS\DamewareMini.sys [2007-02-08 2944]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2004-03-12 32640]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 11:11:14
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\SPBBC\SPBBCSVC.EXE
c:\program files\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
c:\windows\SYSTEM32\DWRCS.EXE
c:\program files\SYMANTEC ANTIVIRUS\SAVROAM.EXE
c:\program files\SYMANTEC ANTIVIRUS\RTVSCAN.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\windows\system32\DWRCST.exe
c:\windows\ATK0100\ATKOSD.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-11-06 11:12:45 - machine was rebooted [kumars]
ComboFix-quarantined-files.txt 2008-11-06 00:42:42
ComboFix3.txt 2008-10-29 00:12:52
ComboFix2.txt 2008-11-04 00:16:28

Pre-Run: 17,979,850,752 bytes free
Post-Run: 18,008,506,368 bytes free

138 --- E O F --- 2008-10-24 07:16:03


Edited by XViper, 06 November 2008 - 01:31 AM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:28 PM

Posted 06 November 2008 - 10:29 AM

Looks good to me! :)

Just a few last things and you should be good to go! :)


Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 XViper

XViper
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 06 November 2008 - 10:48 PM

Thanks mate :thumbsup:

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:28 PM

Posted 07 November 2008 - 04:50 AM

Glad I could help out! :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:28 PM

Posted 21 November 2008 - 06:52 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users