Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.tidserv!inf virus


  • This topic is locked This topic is locked
34 replies to this topic

#1 njd.7983

njd.7983

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 23 January 2009 - 11:07 AM

Hi,

Referred here from: http://www.bleepingcomputer.com/forums/t/196859/backdoortidserv-how-do-i-remove-it/ ~ OB

My Symantec detected backdoor.tidserv!inf about three days back but refused to delete it. I've run the MBAM, SAS, IAF as suggested by the moderator who was helping me out.The scans detected malware which I have deleted. Now I have been asked to post a HijackThis log. Here it is.

Thanks

N

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:35 AM, on 1/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\Program Files\MDL CrossFire Commander 7.0\xfdlink.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\webshots.scr
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [XFDLINK] "C:\Program Files\MDL CrossFire Commander 7.0\xfdlink.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCare
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .edu/oca-bin/send-ras?id=1gsm: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: jzgnkr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 16244 bytes

Edited by Orange Blossom, 23 January 2009 - 09:35 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 30 January 2009 - 03:56 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 30 January 2009 - 05:21 PM

Hello PP,

Thanks for helping me out. Here are the two logs that you requested.

ComboFix 09-01-21.04 - jignesh doshi 2009-01-30 15:20:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.137 [GMT -6:00]
Running from: c:\documents and settings\jignesh doshi\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekajgcvapeq.sys
c:\windows\system32\senekaejsmtgwt.dat
c:\windows\system32\senekaqbrnredo.dll
c:\windows\system32\senekawtylvoro.dll
c:\windows\system32\senekayijkdtfg.dat
c:\windows\Tasks\ubcdsgto.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-23 12:38 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-22 19:35 . 2009-01-22 19:38 <DIR> d-------- c:\program files\ACW
2009-01-21 12:34 . 2009-01-21 12:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 12:34 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 12:34 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-21 07:37 . 2009-01-21 07:38 8,014 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-21 07:37 . 2009-01-21 07:38 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-01-21 07:32 . 2009-01-21 07:32 <DIR> d-a------ c:\program files\SAV1016
2009-01-20 17:42 . 2009-01-20 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-20 17:23 . 2009-01-20 17:23 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-20 17:23 . 2009-01-20 17:23 <DIR> d-------- c:\documents and settings\jignesh doshi\Application Data\SUPERAntiSpyware.com
2009-01-20 17:01 . 2009-01-21 18:38 1,924 --a------ c:\windows\klunqqfd
2009-01-20 15:53 . 2009-01-20 15:53 1,432,143 ---hs---- c:\windows\system32\eqhbhonn.ini
2009-01-12 14:55 . 2004-08-04 02:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-12 14:55 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-08 09:21 . 2009-01-08 09:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft
2009-01-07 15:19 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2009-01-07 14:59 . 2009-01-07 15:02 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2009-01-07 14:58 . 2009-01-07 20:30 <DIR> d-------- c:\program files\Windows Live
2009-01-07 14:56 . 2009-01-07 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-07 14:55 . 2009-01-07 14:55 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-01-07 14:26 . 2009-01-07 14:46 <DIR> d-------- c:\program files\Qwest
2009-01-07 14:25 . 2009-01-07 14:47 <DIR> d-------- c:\program files\Common Files\supportsoft
2009-01-07 14:21 . 2009-01-07 14:21 <DIR> d-------- c:\program files\2Wire
2009-01-07 14:20 . 2009-01-07 14:20 <DIR> d-------- c:\program files\Actiontec
2009-01-07 14:20 . 2004-02-14 09:19 143,360 --a------ c:\windows\GTRemove.exe
2009-01-07 14:16 . 2009-01-07 14:16 <DIR> d-------- c:\documents and settings\jignesh doshi\Application Data\InstallShield
2008-12-15 20:17 . 2008-12-15 20:17 <DIR> d-------- c:\program files\FireFox
2008-12-13 19:48 . 2008-12-13 19:48 1,024 --a------ c:\windows\system32\d2i2006.ser
2008-12-13 19:34 . 2008-12-13 19:34 <DIR> d-------- c:\windows\system32\psconv
2008-12-13 19:34 . 2008-12-13 19:34 <DIR> d-------- c:\program files\psconvert
2008-12-13 19:34 . 2008-12-13 19:34 <DIR> d-------- c:\program files\DWG-Converter
2008-12-13 19:34 . 2003-04-11 18:28 679,109 --a------ c:\windows\FONTSDIR.MFD
2008-12-13 19:34 . 2001-10-29 01:42 116,224 --a------ c:\windows\system32\pdfmonnt.dll
2008-12-13 19:34 . 2008-12-13 19:34 164 --a------ c:\windows\system32\psconv.ini
2008-12-11 10:14 . 2008-12-11 10:14 <DIR> d-------- c:\documents and settings\jignesh doshi\Application Data\Malwarebytes
2008-12-11 10:13 . 2008-12-11 10:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-10 22:30 . 2008-12-10 22:30 <DIR> d-------- C:\_OTMoveIt
2008-12-05 20:12 . 2008-12-05 20:12 <DIR> d-------- c:\windows\ERUNT
2008-12-05 20:02 . 2009-01-22 16:08 <DIR> d-------- C:\SDFix
2008-12-02 14:09 . 2009-01-05 13:17 3,796 --a------ c:\windows\system32\PerfStringBackup.TMP
2008-12-02 14:06 . 2008-12-02 14:22 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 14:05 . 2008-12-02 14:22 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-01 16:05 . 2008-12-01 17:23 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-01 12:03 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-01 11:26 . 2008-12-01 11:26 <DIR> d-------- C:\rsit
2008-12-01 10:36 . 2008-12-01 10:36 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 21:32 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-29 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-26 21:21 --------- d-----w c:\documents and settings\jignesh doshi\Application Data\AdobeUM
2009-01-23 18:37 --------- d-----w c:\program files\Java
2009-01-21 15:18 --------- d-----w c:\program files\SuperMarioPac
2009-01-21 13:40 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 13:38 110,952 -c--a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-21 13:38 --------- d-----w c:\program files\Symantec
2009-01-20 23:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-15 03:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-07 20:27 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-06 19:28 --------- d-----w c:\documents and settings\jignesh doshi\Application Data\dvdcss
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-02 16:11 --------- d-----w c:\program files\EsetOnlineScanner
2008-11-30 19:01 --------- d-----w c:\program files\CCleaner
2005-01-13 23:12 34,952 -c--a-w c:\documents and settings\jignesh doshi\Application Data\GDIPFONTCACHEV1.DAT
2004-07-06 02:09 284 -c--a-w c:\documents and settings\jignesh doshi\Application Data\ViewerApp.dat
2004-03-01 19:25 114,688 -c--a-w c:\program files\internet explorer\plugins\ChimeShim.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-09_17.28.51.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-22 09:47:25 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP2QFE\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3GDR\tzchange.exe
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-10-23 12:51:04 284,160 ----a-w c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-10-23 12:43:42 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:02:01 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:02:02 231,288 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:02:01 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll
- 2008-02-20 05:32:43 148,992 -c----w c:\windows\$NtUninstallKB951748$\dnsapi.dll
- 2004-08-04 07:56:44 245,248 -c----w c:\windows\$NtUninstallKB951748$\mswsock.dll
- 2007-10-30 17:20:55 360,064 -c----w c:\windows\$NtUninstallKB951748$\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c----w c:\windows\$NtUninstallKB951748$\tcpip6.sys
+ 2004-08-04 06:14:14 138,496 -c----w c:\windows\$NtUninstallKB951748_0$\afd.sys
+ 2008-02-20 05:32:43 148,992 -c----w c:\windows\$NtUninstallKB951748_0$\dnsapi.dll
+ 2004-08-04 07:56:44 245,248 -c----w c:\windows\$NtUninstallKB951748_0$\mswsock.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB951748_0$\spuninst\spuninst.exe
+ 2007-11-30 12:39:19 382,840 -c----w c:\windows\$NtUninstallKB951748_0$\spuninst\updspapi.dll
+ 2007-10-30 17:20:55 360,064 -c----w c:\windows\$NtUninstallKB951748_0$\tcpip.sys
+ 2006-08-16 09:37:30 225,664 -c----w c:\windows\$NtUninstallKB951748_0$\tcpip6.sys
- 2008-06-20 10:44:38 138,368 -c----w c:\windows\$NtUninstallKB956803$\afd.sys
+ 2008-06-20 10:44:38 138,368 -c----w c:\windows\$NtUninstallKB956803_0$\afd.sys
+ 2007-11-30 11:18:51 231,288 -c----w c:\windows\$NtUninstallKB956803_0$\spuninst\spuninst.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB956803_0$\spuninst\updspapi.dll
+ 2009-01-07 20:55:39 236,392 ----a-w c:\windows\assembly\GAC_MSIL\System.Data.SqlServerCe\9.0.242.0__89845dcd8080cc91\System.Data.SqlServerCe.dll
- 2008-12-06 02:12:57 9,949,184 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-01-22 21:40:47 9,986,048 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-12-06 02:12:57 266,240 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-01-22 21:40:48 274,432 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-01-08 02:30:19 123,008 ----a-r c:\windows\Installer\{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}\WLXPhotoGalleryIcon.exe
+ 2009-01-07 21:06:04 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-01-21 13:39:55 25,214 ----a-r c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\ARPPRODUCTICON.exe
+ 2009-01-21 13:39:55 40,960 ----a-r c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2009-01-21 13:39:55 40,960 ----a-r c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-10-20 02:27:20 167,936 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-12-13 03:14:03 167,936 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-10-20 02:27:20 2,560 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-12-13 03:14:03 2,560 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-10-20 02:27:21 81,920 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2008-12-13 03:14:03 81,920 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2008-10-20 02:27:20 34,304 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-12-13 03:14:03 34,304 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-10-20 02:27:21 8,192 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-12-13 03:14:03 8,192 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-10-20 02:27:21 3,584 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-12-13 03:14:03 3,584 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-10-20 02:27:21 114,688 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-12-13 03:14:03 114,688 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-10-20 02:27:20 16,384 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-12-13 03:14:03 16,384 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-10-20 02:27:20 30,720 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-12-13 03:14:03 30,720 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-10-20 02:27:21 22,528 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-12-13 03:14:03 22,528 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-10-20 02:27:20 45,056 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-12-13 03:14:03 45,056 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-10-20 02:27:20 90,112 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-12-13 03:14:03 90,112 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-11-13 04:14:16 1,165,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-01-15 03:11:15 1,165,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-11-13 04:14:16 20,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-15 03:11:17 20,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-11-13 04:14:16 159,504 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-01-15 03:11:16 159,504 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-11-13 04:14:16 184,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-01-15 03:11:16 184,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-11-13 04:14:16 217,864 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-15 03:11:17 217,864 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-11-13 04:14:17 18,704 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-15 03:11:17 18,704 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-13 04:14:17 35,088 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-15 03:11:18 35,088 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-13 04:14:16 845,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-15 03:11:16 845,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-11-13 04:14:16 922,384 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-15 03:11:16 922,384 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-11-13 04:14:16 272,648 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-15 03:11:17 272,648 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-11-13 04:14:17 888,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-15 03:11:17 888,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-11-13 04:14:16 1,172,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-15 03:11:15 1,172,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-20 23:23:54 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-01-20 23:23:54 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2006-08-16 11:58:05 100,352 ----a-w c:\windows\system32\6to4svc.dll
+ 2006-08-16 12:08:32 100,352 ----a-w c:\windows\system32\6to4svc.dll
- 2008-08-20 05:33:19 1,024,000 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:20:52 1,024,000 ----a-w c:\windows\system32\browseui.dll
- 2006-06-15 06:41:58 34,600 ----a-w c:\windows\system32\cba.dll
+ 2007-03-15 01:50:54 34,552 ----a-w c:\windows\system32\cba.dll
- 2008-08-20 05:33:17 151,040 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:20:42 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2008-12-05 14:45:09 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-30 18:11:13 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-05 14:45:09 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-30 18:11:13 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-05 14:45:09 49,152 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-30 18:11:13 49,152 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-20 05:33:18 1,054,208 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:20:45 1,054,208 ----a-w c:\windows\system32\danim.dll
- 2006-08-16 11:58:05 100,352 -c--a-w c:\windows\system32\dllcache\6to4svc.dll
+ 2006-08-16 12:08:32 100,352 -c--a-w c:\windows\system32\dllcache\6to4svc.dll
- 2008-08-14 09:51:43 138,368 -c----w c:\windows\system32\dllcache\afd.sys
+ 2008-08-14 09:48:52 138,368 -c----w c:\windows\system32\dllcache\afd.sys
- 2008-08-20 05:33:19 1,024,000 -c----w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:20:52 1,024,000 -c----w c:\windows\system32\dllcache\browseui.dll
- 2008-08-20 05:33:17 151,040 -c----w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:20:42 151,040 -c----w c:\windows\system32\dllcache\cdfview.dll
- 2008-08-20 05:33:18 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:20:45 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
- 2008-06-20 17:41:10 148,992 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:36:11 147,968 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
- 2008-08-20 05:33:18 357,888 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:20:45 357,888 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-20 05:33:18 205,312 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 10:20:45 205,312 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-20 05:33:18 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 10:20:46 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-02-20 06:51:05 282,624 -c----w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:01:36 283,648 -c----w c:\windows\system32\dllcache\gdi32.dll
- 2008-08-19 09:38:57 18,432 -c----w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-15 14:18:21 18,432 -c----w c:\windows\system32\dllcache\iedw.exe
- 2008-08-20 05:33:18 251,904 -c----w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:20:46 251,904 -c----w c:\windows\system32\dllcache\iepeers.dll
- 2008-08-20 05:33:18 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2008-10-16 10:20:46 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2008-08-20 05:33:19 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 10:20:50 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-19 02:03:58 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 07:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-20 05:33:20 3,067,392 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-20 05:33:19 449,024 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:20:50 449,024 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-20 05:33:18 146,432 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:20:46 146,432 -c----w c:\windows\system32\dllcache\msrating.dll
- 2008-08-20 05:33:18 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:20:46 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-06-20 17:41:10 245,248 -c----w c:\windows\system32\dllcache\mswsock.dll
+ 2008-06-20 17:36:11 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
- 2008-08-20 05:33:18 39,424 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 10:20:46 39,424 -c----w c:\windows\system32\dllcache\pngfilt.dll
- 2008-08-20 05:33:19 1,499,136 -c----w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:20:48 1,499,136 -c----w c:\windows\system32\dllcache\shdocvw.dll
- 2008-08-20 05:33:19 474,112 -c----w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-16 10:20:51 474,112 -c----w c:\windows\system32\dllcache\shlwapi.dll
- 2008-08-28 10:04:17 333,056 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c----w c:\windows\system32\dllcache\srv.sys
- 2006-08-21 15:52:08 246,814 -c----w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 -c----w c:\windows\system32\dllcache\strmdll.dll
- 2008-06-20 10:45:13 360,320 -c--a-w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 10:44:42 360,960 -c--a-w c:\windows\system32\dllcache\tcpip.sys
- 2008-06-20 09:52:06 225,920 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:32:39 225,920 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
- 2008-08-20 05:33:19 619,008 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 10:20:53 619,008 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:33:19 667,648 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 10:20:49 667,648 -c----w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 03:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 11:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 03:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 11:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-06-20 17:41:10 148,992 ----a-w c:\windows\system32\dnsapi.dll
+ 2008-06-20 17:36:11 147,968 ----a-w c:\windows\system32\dnsapi.dll
- 2008-08-14 09:51:43 138,368 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:48:52 138,368 ----a-w c:\windows\system32\drivers\afd.sys
- 2006-01-25 01:06:14 12,992 -c--a-w c:\windows\system32\drivers\symdns.sys
+ 2007-02-12 23:22:16 12,944 ----a-w c:\windows\system32\drivers\symdns.sys
- 2006-01-25 01:06:18 110,784 -c--a-w c:\windows\system32\drivers\symfw.sys
+ 2007-02-12 23:22:20 110,736 ----a-w c:\windows\system32\drivers\symfw.sys
- 2006-01-25 01:06:28 31,936 -c--a-w c:\windows\system32\drivers\symids.sys
+ 2007-02-12 23:22:30 31,888 ----a-w c:\windows\system32\drivers\symids.sys
- 2006-01-25 01:06:24 28,352 -c--a-w c:\windows\system32\drivers\symndis.sys
+ 2007-02-12 23:22:26 28,304 ----a-w c:\windows\system32\drivers\symndis.sys
- 2006-01-25 01:06:32 24,768 ----a-w c:\windows\system32\drivers\symredrv.sys
+ 2007-02-12 23:22:36 24,720 ----a-w c:\windows\system32\drivers\symredrv.sys
- 2006-01-25 01:06:36 195,776 ----a-w c:\windows\system32\drivers\symtdi.sys
+ 2007-02-12 23:22:40 196,752 ----a-w c:\windows\system32\drivers\symtdi.sys
- 2008-06-20 10:45:13 360,320 ----a-w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 10:44:42 360,960 ----a-w c:\windows\system32\drivers\tcpip.sys
- 2008-06-20 09:52:06 225,920 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2008-06-20 09:32:39 225,920 ----a-w c:\windows\system32\drivers\tcpip6.sys
- 2008-08-20 05:33:18 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:20:45 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-20 05:33:18 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:20:45 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-20 05:33:18 55,808 ------w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:20:46 55,808 ------w c:\windows\system32\extmgr.dll
- 2008-11-30 19:26:27 360,936 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-11 15:27:15 360,936 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-02-20 06:51:05 282,624 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ----a-w c:\windows\system32\gdi32.dll
- 2008-08-20 05:33:18 251,904 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:20:46 251,904 ----a-w c:\windows\system32\iepeers.dll
- 2008-08-20 05:33:18 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:20:46 96,256 ----a-w c:\windows\system32\inseng.dll
- 2008-12-01 18:02:46 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-11-10 11:43:37 144,792 ----a-w c:\windows\system32\java.exe
- 2008-12-01 18:02:47 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-10 11:43:38 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-12-01 18:02:47 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-10 11:43:39 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-08-20 05:33:19 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:20:50 16,384 ----a-w c:\windows\system32\jsproxy.dll
- 2006-10-19 02:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 07:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-12-23 01:58:34 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2006-06-15 06:42:00 46,896 ----a-w c:\windows\system32\msgsys.dll
+ 2007-03-15 01:50:56 46,848 ----a-w c:\windows\system32\msgsys.dll
- 2008-08-20 05:33:20 3,067,392 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-20 05:33:19 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:20:50 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-20 05:33:18 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:20:46 146,432 ----a-w c:\windows\system32\msrating.dll
- 2008-08-20 05:33:18 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:20:46 532,480 ----a-w c:\windows\system32\mstime.dll
- 2008-06-20 17:41:10 245,248 ----a-w c:\windows\system32\mswsock.dll
+ 2008-06-20 17:36:11 245,248 ----a-w c:\windows\system32\mswsock.dll
- 2006-06-15 06:40:42 43,760 ----a-w c:\windows\system32\NavLogon.dll
+ 2007-03-15 01:49:14 43,712 ----a-w c:\windows\system32\NavLogon.dll
- 2006-06-15 06:42:02 83,752 ----a-w c:\windows\system32\nts.dll
+ 2007-03-15 01:50:58 91,896 ----a-w c:\windows\system32\nts.dll
- 2006-06-15 06:42:02 83,752 ----a-w c:\windows\system32\pds.dll
+ 2007-03-15 01:51:00 83,704 ----a-w c:\windows\system32\pds.dll
+ 2006-10-24 18:30:20 412,160 ------w c:\windows\system32\photometadatahandler.dll
- 2008-08-20 05:33:18 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:20:46 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2004-09-27 13:35:22 2,768,896 ----a-w c:\windows\system32\psconv\GSDLL32.dll
+ 2005-01-25 07:52:26 40,960 ----a-w c:\windows\system32\psconv\PSConvert.exe
- 2006-05-05 21:19:50 87,808 ----a-w c:\windows\system32\S32EVNT1.DLL
+ 2009-01-21 13:38:30 48,768 ----a-w c:\windows\system32\S32EVNT1.DLL
- 2008-08-20 05:33:19 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:20:48 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
- 2008-08-20 05:33:19 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:20:51 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2007-01-19 17:53:04 51,056 ----a-w c:\windows\system32\sirenacm.dll
+ 2007-10-18 17:31:46 51,224 ----a-w c:\windows\system32\sirenacm.dll
- 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2002-04-23 07:54:34 457,600 ----a-w c:\windows\system32\spool\drivers\w32x86\2\ADOBEPS5.DLL
+ 2002-04-23 07:54:36 135,680 ----a-w c:\windows\system32\spool\drivers\w32x86\2\ADOBEPSU.DLL
- 2004-08-04 07:56:44 132,608 ----a-w c:\windows\system32\spool\drivers\w32x86\3\PS5UI.DLL
+ 2005-06-26 04:16:48 138,240 ----a-w c:\windows\system32\spool\drivers\w32x86\3\PS5UI.DLL
- 2004-08-04 07:56:44 464,384 ----a-w c:\windows\system32\spool\drivers\w32x86\3\PSCRIPT5.DLL
+ 2005-06-26 04:16:50 480,256 ----a-w c:\windows\system32\spool\drivers\w32x86\3\PSCRIPT5.DLL
+ 2002-04-24 01:04:40 1,295,840 ----a-w c:\windows\system32\spool\drivers\WIN40\0\ADOBEPS4.DRV
+ 2000-07-12 03:13:48 118,128 ----a-w c:\windows\system32\spool\drivers\WIN40\0\ICONLIB.DLL
+ 2000-07-12 03:13:48 57,344 ----a-w c:\windows\system32\spool\drivers\WIN40\0\PSMON.DLL
+ 2002-04-24 01:04:40 1,295,840 ----a-w c:\windows\system32\spool\drivers\WIN40\ADOBEPS4.DRV
+ 2000-07-12 03:13:48 118,128 ----a-w c:\windows\system32\spool\drivers\WIN40\ICONLIB.DLL
+ 2000-07-12 03:13:48 57,344 ----a-w c:\windows\system32\spool\drivers\WIN40\PSMON.DLL
- 2006-09-25 23:58:48 23,856 ----a-w c:\windows\system32\spupdsvc.exe
+ 2006-10-16 22:10:58 23,856 ----a-w c:\windows\system32\spupdsvc.exe
- 2006-08-21 15:52:08 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2006-01-25 01:06:42 534,208 ----a-w c:\windows\system32\SymNeti.dll
+ 2007-02-12 23:22:48 538,256 ----a-w c:\windows\system32\SymNeti.dll
- 2006-01-25 01:06:40 161,472 ----a-w c:\windows\system32\SymRedir.dll
+ 2007-02-12 23:22:46 161,424 ----a-w c:\windows\system32\SymRedir.dll
- 2008-07-14 11:09:18 62,976 ------w c:\windows\system32\tzchange.exe
+ 2008-10-22 09:47:07 62,976 ------w c:\windows\system32\tzchange.exe
- 2008-08-20 05:33:19 619,008 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:20:53 619,008 ----a-w c:\windows\system32\urlmon.dll
+ 2006-10-24 18:30:06 716,288 ------w c:\windows\system32\WindowsCodecs.dll
+ 2006-10-24 18:29:50 352,256 ------w c:\windows\system32\WindowsCodecsExt.dll
- 2008-08-20 05:33:19 667,648 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 10:20:49 667,648 ----a-w c:\windows\system32\wininet.dll
- 2006-10-19 03:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 11:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
+ 2006-10-24 18:30:00 276,992 ------w c:\windows\system32\WMPhoto.dll
- 2006-10-19 03:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 11:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
- 2008-08-19 09:20:32 351,744 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-10-15 14:00:41 351,744 ----a-w c:\windows\system32\xpsp3res.dll
+ 2009-01-30 21:35:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7a0.dat
+ 2008-02-01 17:11:10 586,240 ----a-w c:\windows\WLXPGSS.SCR
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-15 22:01 258048]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 126976]
"PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 1019904]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-11-05 1380352]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 159744]
"iRiver Updater"="c:\program files\iRiver\iRiver Manager\Updater\Updater.exe" [2004-03-10 204800]
"XFDLINK"="c:\program files\MDL CrossFire Commander 7.0\xfdlink.exe" [2005-07-19 45056]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-06 185896]
"QuickCare"="c:\program files\Qwest\Quickcare\bin\sprtcmd.exe" [2008-05-31 202016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"000StTHK"="000StTHK.exe" [2001-06-23 22:28 24576 c:\windows\system32\000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-05-04 c:\windows\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 c:\windows\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-11-19 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\jignesh doshi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-03-28 45056]
WkCalRem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-06-20 24651]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-27 113664]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2004-03-16 1470296]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-11-20 155648]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"Registration"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2004-08-27 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jzgnkr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2005\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2005\\Chem3D\\Chem3D.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\MDL CrossFire Commander 7.0\\xfdlink.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2006\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2006\\Chem3D\\Chem3D.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFSServW.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live Safety Center\\wlscUploader.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2003-11-20 9344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-21 99376]
R4 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2003-11-20 390400]
R4 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]
S0 mhpjqlva;mhpjqlva;c:\windows\system32\drivers\lxwrsdmx.sys --> c:\windows\system32\drivers\lxwrsdmx.sys [?]
S3 DualCamChic;Digital camera (2220);c:\windows\system32\drivers\sndchic.sys [2004-07-14 218752]
S3 MSSQL$CAMBRIDGESOFT;MSSQL$CAMBRIDGESOFT;c:\program files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe -sCAMBRIDGESOFT --> c:\program files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlservr.exe -sCAMBRIDGESOFT [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
S3 SQLAgent$CAMBRIDGESOFT;SQLAgent$CAMBRIDGESOFT;c:\program files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlagent.EXE -i CAMBRIDGESOFT --> c:\program files\Microsoft SQL Server\MSSQL$CAMBRIDGESOFT\Binn\sqlagent.EXE -i CAMBRIDGESOFT [?]
S4 mrtRate;mrtRate; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cc540b6-7a9b-11dc-9bf9-00080d5bc8c9}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-msiexec.exe - msiconf.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\jignesh doshi\Application Data\Mozilla\Firefox\Profiles\4ff2q3u1.default\
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2006\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2006\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 15:40:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1156)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\Ivp\Swupdate\swupdtmr.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\windows\webshots.scr
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-01-30 16:03:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-30 22:02:55
ComboFix2.txt 2008-12-09 23:39:22

Pre-Run: 37,725,487,104 bytes free
Post-Run: 38,238,384,128 bytes free

574 --- E O F --- 2009-01-20 03:39:36



HijackThis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:20 PM, on 1/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [XFDLINK] "C:\Program Files\MDL CrossFire Commander 7.0\xfdlink.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCare
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .edu/oca-bin/send-ras?id=1gsm: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: jzgnkr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 15995 bytes

#4 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 30 January 2009 - 05:36 PM

Hello PP,

I thought I should mention this. When the ComboFix first caused the computer to reboot. I had this window pop up with the following message "catchme.cfexe - DLL Initialization failed. The application failed to initialize because the windows station is shutting down." Also I havent made any changes to my computer after posting the first HijackThis log.

Regards
N

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 30 January 2009 - 05:40 PM

Hello njd.7983.

Let's take care of the rest.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\klunqqfd
    c:\windows\system32\eqhbhonn.ini
    
    Rootkit::
    c:\windows\system32\drivers\lxwrsdmx.sys
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    
    Driver::
    mhpjqlva
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update Windows Installation
Your Microsoft Windows installation is out of date. Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Please click here to check for and install updates to Windows, and Microsoft applications. If you encounter any problems during the installation, please feel free to ask for help.

The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Reboot and repeat the update process until there are no more updates to install.

Save Uninstall List with HijackThis
  • Double click the HijackThis icon on your desktop.
  • If you see a while screen, click Main Menu at the middle bottom of the window, otherwise move onto the next step.
  • Click Open the Misc Tools section.
  • Under System tools, select Uninstall Manager....
  • Near the bottom right, click Save list... and save uninstall_list.txt onto your desktop.
  • Close out of HijackThis.
  • Post back with uninstall_list.txt.

Please post back with:
-the ComboFix log
-the Uninstall list

How is your computer running now?

With Regards,
The Panda

#6 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 30 January 2009 - 09:06 PM

Hello PP,

I looked for updates and Microsoft came up with only one and asked me to install SP3, I tried installing but the process stalled during the "Performing cleanup" stage. So what do I do next? My computer seems to be running ok now.I googled things and there are no redirections for now, I find them to be unpredictable. They dont happen all the time. Like before I ran the ComboFix for the second time, Google searches were still being redirected. Here are the two lists you asked for.

Thanks

N





ComboFix 09-01-21.04 - jignesh doshi 2009-01-30 16:58:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.158 [GMT -6:00]
Running from: c:\documents and settings\jignesh doshi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jignesh doshi\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\klunqqfd
c:\windows\system32\eqhbhonn.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\klunqqfd
c:\windows\system32\eqhbhonn.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_mhpjqlva


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-23 12:38 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-22 19:35 . 2009-01-22 19:38 <DIR> d-------- c:\program files\ACW
2009-01-21 12:34 . 2009-01-21 12:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 12:34 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 12:34 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-21 07:37 . 2009-01-21 07:38 8,014 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-21 07:37 . 2009-01-21 07:38 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-01-21 07:32 . 2009-01-21 07:32 <DIR> d-a------ c:\program files\SAV1016
2009-01-20 17:42 . 2009-01-20 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-20 17:23 . 2009-01-20 17:23 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-20 17:23 . 2009-01-20 17:23 <DIR> d-------- c:\documents and settings\jignesh doshi\Application Data\SUPERAntiSpyware.com
2009-01-12 14:55 . 2004-08-04 02:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-12 14:55 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-08 09:21 . 2009-01-08 09:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft
2009-01-07 15:19 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2009-01-07 14:59 . 2009-01-07 15:02 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2009-01-07 14:58 . 2009-01-07 20:30 <DIR> d-------- c:\program files\Windows Live
2009-01-07 14:56 . 2009-01-07 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-07 14:55 . 2009-01-07 14:55 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-01-07 14:26 . 2009-01-07 14:46 <DIR> d-------- c:\program files\Qwest
2009-01-07 14:25 . 2009-01-07 14:47 <DIR> d-------- c:\program files\Common Files\supportsoft
2009-01-07 14:21 . 2009-01-07 14:21 <DIR> d-------- c:\program files\2Wire
2009-01-07 14:20 . 2009-01-07 14:20 <DIR> d-------- c:\program files\Actiontec
2009-01-07 14:20 . 2004-02-14 09:19 143,360 --a------ c:\windows\GTRemove.exe
2009-01-07 14:16 . 2009-01-07 14:16 <DIR> d-------- c:\documents and settings\jignesh doshi\Application Data\InstallShield
2008-12-15 20:17 . 2008-12-15 20:17 <DIR> d-------- c:\program files\FireFox
2008-12-13 19:48 . 2008-12-13 19:48 1,024 --a------ c:\windows\system32\d2i2006.ser
2008-12-13 19:34 . 2008-12-13 19:34 <DIR> d-------- c:\windows\system32\psconv
2008-12-13 19:34 . 2008-12-13 19:34 <DIR> d-------- c:\program files\psconvert
2008-12-13 19:34 . 2008-12-13 19:34 <DIR> d-------- c:\program files\DWG-Converter
2008-12-13 19:34 . 2003-04-11 18:28 679,109 --a------ c:\windows\FONTSDIR.MFD
2008-12-13 19:34 . 2001-10-29 01:42 116,224 --a------ c:\windows\system32\pdfmonnt.dll
2008-12-13 19:34 . 2008-12-13 19:34 164 --a------ c:\windows\system32\psconv.ini
2008-12-11 10:14 . 2008-12-11 10:14 <DIR> d-------- c:\documents and settings\jignesh doshi\Application Data\Malwarebytes
2008-12-11 10:13 . 2008-12-11 10:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-10 22:30 . 2008-12-10 22:30 <DIR> d-------- C:\_OTMoveIt
2008-12-05 20:12 . 2008-12-05 20:12 <DIR> d-------- c:\windows\ERUNT
2008-12-05 20:02 . 2009-01-22 16:08 <DIR> d-------- C:\SDFix
2008-12-02 14:09 . 2009-01-05 13:17 3,796 --a------ c:\windows\system32\PerfStringBackup.TMP
2008-12-02 14:06 . 2008-12-02 14:22 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 14:05 . 2008-12-02 14:22 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-01 16:05 . 2008-12-01 17:23 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-01 12:03 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-01 11:26 . 2008-12-01 11:26 <DIR> d-------- C:\rsit
2008-12-01 10:36 . 2008-12-01 10:36 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 23:07 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-29 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-26 21:21 --------- d-----w c:\documents and settings\jignesh doshi\Application Data\AdobeUM
2009-01-23 18:37 --------- d-----w c:\program files\Java
2009-01-21 15:18 --------- d-----w c:\program files\SuperMarioPac
2009-01-21 13:40 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 13:38 110,952 -c--a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-21 13:38 --------- d-----w c:\program files\Symantec
2009-01-20 23:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-15 03:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-07 20:27 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-06 19:28 --------- d-----w c:\documents and settings\jignesh doshi\Application Data\dvdcss
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-02 16:11 --------- d-----w c:\program files\EsetOnlineScanner
2008-11-30 19:01 --------- d-----w c:\program files\CCleaner
2005-01-13 23:12 34,952 -c--a-w c:\documents and settings\jignesh doshi\Application Data\GDIPFONTCACHEV1.DAT
2004-07-06 02:09 284 -c--a-w c:\documents and settings\jignesh doshi\Application Data\ViewerApp.dat
2004-03-01 19:25 114,688 -c--a-w c:\program files\internet explorer\plugins\ChimeShim.dll
.

((((((((((((((((((((((((((((( snapshot_2009-01-30_15.59.19.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-30 23:10:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_738.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-15 22:01 258048]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 126976]
"PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 1019904]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-11-05 1380352]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 159744]
"iRiver Updater"="c:\program files\iRiver\iRiver Manager\Updater\Updater.exe" [2004-03-10 204800]
"XFDLINK"="c:\program files\MDL CrossFire Commander 7.0\xfdlink.exe" [2005-07-19 45056]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-06 185896]
"QuickCare"="c:\program files\Qwest\Quickcare\bin\sprtcmd.exe" [2008-05-31 202016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"000StTHK"="000StTHK.exe" [2001-06-23 22:28 24576 c:\windows\system32\000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-05-04 c:\windows\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 c:\windows\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-11-19 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\jignesh doshi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-03-28 45056]
WkCalRem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-06-20 24651]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-27 113664]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2004-03-16 1470296]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-11-20 155648]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"Registration"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2004-08-27 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2005\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2005\\Chem3D\\Chem3D.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\MDL CrossFire Commander 7.0\\xfdlink.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2006\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2006\\Chem3D\\Chem3D.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFSServW.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live Safety Center\\wlscUploader.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2003-11-20 9344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-21 99376]
R4 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2003-11-20 390400]
S3 DualCamChic;Digital camera (2220);c:\windows\system32\drivers\sndchic.sys [2004-07-14 218752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S4 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SoundMAX Agent Service (default)
*Deregistered* - SPBBCSvc
*Deregistered* - Spooler
*Deregistered* - sprtlisten
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Swupdtmr
*Deregistered* - Symantec AntiVirus
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - upnphost
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WMPNetworkSvc
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cc540b6-7a9b-11dc-9bf9-00080d5bc8c9}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\jignesh doshi\Application Data\Mozilla\Firefox\Profiles\4ff2q3u1.default\
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2006\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2006\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 17:12:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1156)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\supportsoft\bin\sprtlisten.exe
c:\toshiba\Ivp\Swupdate\swupdtmr.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-01-30 17:35:14 - machine was rebooted [jignesh doshi]
ComboFix-quarantined-files.txt 2009-01-30 23:35:01
ComboFix2.txt 2009-01-30 22:03:10
ComboFix3.txt 2008-12-09 23:39:22

Pre-Run: 38,207,848,448 bytes free
Post-Run: 38,182,551,552 bytes free

312 --- E O F --- 2009-01-20 03:39:36


[b]HijackThis uninstall list

Digital Camera (2220)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
4U AVI MPEG Converter (version 5.3.8)
7-Zip 4.57
Accord SDK 5.1 Runtime
ACD/Labs Software 5 (C:\Documents and Settings\jignesh dosh
Actiontec Gateway
Ad-Aware
Adobe Acrobat 6.0 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 8.1.2
Adobe SVG Viewer 3.0
Alps Pointing-device Driver
Apple Software Update
ArcSoft MediaConverter 2
ArcSoft PhotoImpression
ArcSoft Software Suite
ArcSoft VideoImpression 1.6
AT&T Connection Services Manager
Atari: The 80 Classic Games
Atheros Client Utility
AutoCAD 2006 - English
Autodesk DWF Viewer
Backburner
BioAssay Ultra 9.0 (09/01/2004)
BioAssayDesktop
B's CLiP
CambridgeSoft ChemDraw Plugin Net 9.0
CambridgeSoft ChemOffice Ultra 2005
CambridgeSoft ChemOffice Ultra 2006
CambridgeSoft E-Notebook
CambridgeSoft Inventory
CambridgeSoft Inventory 10.0
CCleaner (remove only)
CD/DVD Drive Acoustic Silencer
Cda Product Service - shared component
CompuSyn
CutePDF Writer 2.7
Digital camera (2220)
DivX Content Uploader
DivX Web Player
Drag'n Drop CD+DVD
DVD-RAM Driver
DWG to Image Converter 2006
EndNote 8.0.2
ESET Online Scanner
Eudora
Flipper Graph Control
Free PS Convert driver 8.15
GameSpy Arcade
Google Earth
Google Talk (remove only)
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
Google Video Player
GraphPad Prism 4
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 10.0
HP Deskjet F4200 All-In-One Driver Software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
InterActual Player
InterVideo WinDVD 4
iPIX ActiveX Viewer
iRiver Manager
iRiver Updater
ISI ResearchSoft - Export Helper
Java™ 6 Update 11
Learn2 Player (Uninstall Only)
LiveUpdate 3.1 (Symantec Corporation)
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash Player
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MDL Chime/Chime Pro for Internet Explorer
MDL CrossFire Commander 7.0 SP2
MDL ISIS Draw 2.5 Standalone
MestReC 4.7.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Desktop Engine (CAMBRIDGESOFT)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Mozilla Firefox (3.0.5)
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Netflix Movie Viewer
Netflix Preview Player
NetMeeting Resource Kit 3.0
Notebook Maximizer
PCFriendly
Picasa 2
Picture Package
POWERPREP GRE
QuickConnect
Quicken 2004
QuickTime
Qwest QuickAssist Desktop Tools
Qwest Quickcare 2.5
RealPlayer
Rhapsody Player Engine
SciFinder Scholar 2004
SciFinder Scholar 2006
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Shop for HP Supplies
Skype™ 3.6
Sony USB Driver
SoundMAX
SUPERAntiSpyware Free Edition
SurfHere by Toshiba
Symantec AntiVirus
Symantec AntiVirus
Teton Viewer
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Controls
TOSHIBA Display Devices Change Utility
TOSHIBA Fax Extension
TOSHIBA Hotkey Utility for Display Devices
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad On/Off Utility V2.05.00
TOSHIBA Utilities
Touch and Launch
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959141)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
VLC media player 0.9.4
VPN Client
Webshots Desktop
Winamp (Remove Only)
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Browser Services
Yahoo! Central
Yahoo! Internet Mail
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger
Yahoo! Toolbar


[/]

Edited by PropagandaPanda, 31 January 2009 - 10:10 AM.


#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 31 January 2009 - 10:14 AM

Hello.

Looks better.

Reset Hosts File
Some infections will put malicious lines into your hosts files. We will reset your hosts file with HostsXpert.
  • Please down load HostsXpert.zip to your desktop and unzip the contents.
  • A folder named HostsXpert will be created. Open it and run HostsXpert.exe by double clicking it.
  • Click on the botton Make Writeable? .
  • Click Restore Microsoft's Hosts File.
  • Close out of the window.
If you have added modifications to your hosts file, they will need to be re-added

Install and Run CCleaner
We will user CCleaner by Piriform to remove temporary files.
  • Please download CCleanerSetup from this page to your desktop. Select the Download Latest Version at the top right of the page.
  • Double click the setup file. Follow the prompts to install the program. I suggest you uncheck the option for Yahoo! toolbar. Otherwise, adjust options as you please.
  • Open CCleaner to the Cleaner section.
  • Check all items in Internet Explorer, Windows Explorer, and System. You can leave "Auto Completely Form History" unchecked if desired.
  • Under the Advanced section, check, unless otherwise desired:
    • Old Prefetch data
    • Menu Cache order
    • Tray Notifications Cache (settings for items in the area beside the clock)
    • User Assist History
    • IIS Log Files
    • Hotfix uninstallers
  • Click Run Cleaner. Close out when finished.
Please do not use the other features of CCleaner.

Try to install Service Pack 3 again. Tell me how it goes.

Are those redirects still occuring?

With Regards,
The Panda

#8 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 31 January 2009 - 07:43 PM

Hello PP,

I downloaded and followed the steps for hostxperts as well as CCleaner. About the SP3, looks like it is on my computer, when I started the computer it took longer than usual. Some loading was happening and then I looked into properties of My computer and it showed SP3 there. I did a check for the redirects before adding this post and the redirects are still occuring. :thumbup2:

Regards,

N

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 31 January 2009 - 07:51 PM

Hello.

Following the guide here, please set for OpenDNS.

Reboot for the changes to take affect.

Still occuring?

With Regards,
The Panda

#10 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 31 January 2009 - 08:42 PM

Hi,

Thanks for all the help so far. Done OpenDNS. Post reboot, two out of seven searches redirected. Like I said, unpredictable!

N

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 31 January 2009 - 08:47 PM

Hello.

Let's try something else.

Download and Run SmitFraudFix
You can find complete instructions for running SmitFraudFix in the link below:
http://www.bleepingcomputer.com/forums/t/17258/how-to-remove-the-smitfraud-generic-zlob-quicknavigate-virtual-maid/
  • Please download SmitFraudFix by S!Ri to your desktop.
  • Boot your computer into Safe Mode before we can run this tool. Do not use the MsConfig method.
  • Double click the icon to run it.
  • Select Option 2 by typing 2 and hitting Enter.
  • The scan will progress. Answer Yes to any prompts you receive. This will include running disk cleanup and removing infected files.
  • The tool will restart your computer.
  • Upon reboot, a log file located at C:\rapport.txt will open. Copy its contents into your next reply.

With Regards,
The Panda

#12 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 01 February 2009 - 01:18 AM

Hello,

I ran SmitFraudFix according to the instructions. However after the disk cleanup stage it just seemed to have stalled. The instructions say a red screen would show up and the computer would reboot after the last stage. I am not sure how long the process typically lasts. I know that after the disk clean up I waited atleast an hour before rebooting manually. I have the log generated. Also I noticed whenever I boot the computer the Symantec Corporate Edition turns itself off and notifies the same with a pop up near the task bar. Sometimes it turns itself on again after a while. Also the redirects are still occuring!!


N


SmitFraudFix v2.392

Scan done at 21:26:35.46, Sat 01/31/2009
Run from C:\Documents and Settings\jignesh doshi\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{18887EA2-BB7A-499D-9C5B-82067E58AC34}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CCS\Services\Tcpip\..\{18887EA2-BB7A-499D-9C5B-82067E58AC34}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{18887EA2-BB7A-499D-9C5B-82067E58AC34}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{18887EA2-BB7A-499D-9C5B-82067E58AC34}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS3\Services\Tcpip\..\{18887EA2-BB7A-499D-9C5B-82067E58AC34}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS3\Services\Tcpip\..\{18887EA2-BB7A-499D-9C5B-82067E58AC34}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 01 February 2009 - 12:08 PM

Hello.

Let's dig deeper into this.

Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Change the Rootkit Scan option from "No" to Yes.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

#14 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 01 February 2009 - 03:53 PM

Hi,

I scanned using the two. Attaching the OTScanIt .txt and pasting the Gmer log.

N


Gmer

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-01 14:47:50
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 86A94450 ZwAlertResumeThread
SSDT 86A94BB8 ZwAlertThread
SSDT 86958D70 ZwAllocateVirtualMemory
SSDT 8695D808 ZwConnectPort
SSDT 8684A8A0 ZwCreateMutant
SSDT 86978318 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEE0FF350]
SSDT 8697E0A8 ZwFreeVirtualMemory
SSDT 86A54C18 ZwImpersonateAnonymousToken
SSDT 8676B898 ZwImpersonateThread
SSDT 86991F10 ZwMapViewOfSection
SSDT 8683F8A0 ZwOpenEvent
SSDT 86811AF0 ZwOpenProcessToken
SSDT 86B87600 ZwOpenThreadToken
SSDT 869C4D30 ZwQueryValueKey
SSDT 869A5C30 ZwResumeThread
SSDT 86A76D98 ZwSetContextThread
SSDT 869A4098 ZwSetInformationProcess
SSDT 86A918F8 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEE0FF580]
SSDT 8674F8A0 ZwSuspendProcess
SSDT 86A96280 ZwSuspendThread
SSDT 86970910 ZwTerminateProcess
SSDT 86A96CF8 ZwTerminateThread
SSDT 869960A8 ZwUnmapViewOfSection
SSDT 86971EE8 ZwWriteVirtualMemory

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1796] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Udfs \UdfsCdRom BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)
Device \FileSystem\Udfs \UdfsDisk BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)

---- Files - GMER 1.0.14 ----

File C:\Documents and Settings\jignesh doshi\Application Data\Macromedia\Flash Player\#SharedObjects\ZGW33NBX\nakednews.com.\com.jeroenwijering.utils.sol 56 bytes
File C:\Documents and Settings\jignesh doshi\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#nakednews.com.\settings.sol 84 bytes

---- EOF - GMER 1.0.14 ----

Attached Files



#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 01 February 2009 - 05:47 PM

Hello.

This is strange. Please give me some details where do the searches redirect to?

Let's run this test.

Create and Run Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    @ECHO OFF
    ECHO .
    ping -n 4 www.google.com>Report.txt
    ECHO .
    ping -n 4 www.google.com>>Report.txt
    ECHO .
    ping -n 4 www.google.com>>Report.txt
    ECHO .
    ping -n 4 www.google.com>>Report.txt
    ECHO .
    ping -n 4 www.google.com>>Report.txt
    start notepad report
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input test.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click test.bat. If you are using Windows Vista, right click the icon and select "Run as Administrator".

You will see a back command prompt open. It may stay open for a minute. A notepad will open after. Please post the contents of the notepad.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users