Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to install antivirus & cannot boot in safe mode


  • This topic is locked This topic is locked
22 replies to this topic

#1 sundeep38

sundeep38

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 22 February 2009 - 05:28 AM

Hi,

I am facing a major virus problem with my system. Task manager, registry edit and folder options of my operating system got disabled and also I am unable to boot in safe mode. If I press F8 and chose Safe Mode (with networking or any other option), pc is getting restarted again so again I had to start my pc normally.

I downloaded avira and avast and when I tried to install them, installations were being closed at the starting without any prompt messages. While googling, I came to see this forum I had downloaded hijackthis and here is my log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:00 PM, on 2/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MI4F93~1\webtool.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
C:\DOCUME~1\sundeep\LOCALS~1\Temp\windjluwx.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Downloads\HiJackThis\HijackThis.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

--
End of file - 1487 bytes


Please let me know if anyone has any suggestions regarding this.

Thanks,
Sundeep.

BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:50 PM

Posted 26 February 2009 - 10:34 AM

Hello, sundeep38.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • RSIT Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 sundeep38

sundeep38
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 28 February 2009 - 04:32 PM

Hi Aommaster,

Thanks for the reply.

I had run that tool for the first time and it gave me both log.txt and info.txt. Suddenly, I had to close the text files without copying the content and when tried to run that it again, I only able to see log.txt but info.txt is missing.

Here is my log.txt. Please let me if I have to give you any more details.

Logfile of random's system information tool 1.05 (written by random/random)
Run by sundeep at 2009-03-01 02:55:22
Microsoft Windows XP Professional Service Pack 2
System drive C: has 25 GB (63%) free of 40 GB
Total RAM: 2028 MB (68% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:23 AM, on 3/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MI4F93~1\webtool.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Prevx\prevx.exe
C:\DOCUME~1\sundeep\LOCALS~1\Temp\wnhmgt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\sundeep\Desktop\RSIT.exe
C:\Program Files\trend micro\sundeep.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe

--
End of file - 1981 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1078081533-682003330-1003.job

======Registry dump======

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-09-01 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0029581235290909mcinstcleanup]
C:\DOCUME~1\sundeep\LOCALS~1\Temp\002958~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-21 226600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bsnlLiteTrayApp]
C:\Program Files/BSNL Lite/bin/McciTrayApp.exe [2007-09-13 988672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2004-09-01 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
C:\Program Files\DAP\DAP.EXE [2008-09-05 4450056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
C:\WINDOWS\FixCamera.exe [2007-07-11 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-02 3817472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 112936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-07-10 358696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1741312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-06-11 230960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-05-27 487424]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RRT-Auto]
C:\Documents and Settings\sundeep\Desktop\RRT\RRT.exe auto []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
C:\WINDOWS\vsnp2std.exe [2007-05-10 425984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe [2007-05-10 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
C:\Program Files\Unlocker\UnlockerAssistant.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2008-09-19 4625648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE [2006-10-23 113776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^DriveGuard.lnk]
C:\Program Files\WinDriveGuard\DriveGuard.exe -run []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoFolderOptions"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:ipsec"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Google\Google Talk\googletalk.exe"="C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"C:\Program Files\Microsoft Expression\Media 2\Media.exe"="C:\Program Files\Microsoft Expression\Media 2\Media.exe:*:Enabled:iView Multimedia"
"H:\dcxlj.pif"="H:\dcxlj.pif:*:Enabled:ipsec"
"C:\WINDOWS\system32\ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe:*:Enabled:ipsec"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec"
"C:\WINDOWS\ALCMTR.EXE"="C:\WINDOWS\ALCMTR.EXE:*:Enabled:ipsec"
"C:\Program Files\QuickTime\qttask.exe"="C:\Program Files\QuickTime\qttask.exe:*:Enabled:ipsec"
"C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe"="C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\userinit.exe"="C:\WINDOWS\system32\userinit.exe:*:Enabled:ipsec"
"C:\Program Files\Unlocker\UnlockerAssistant.exe"="C:\Program Files\Unlocker\UnlockerAssistant.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\wintqrp.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\wintqrp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\cghl.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\cghl.exe:*:Enabled:ipsec"
"C:\PROGRA~1\Grisoft\AVG7\avgcc.exe"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\netsh.exe"="C:\WINDOWS\system32\netsh.exe:*:Enabled:ipsec"
"C:\WINDOWS\vsnp2std.exe"="C:\WINDOWS\vsnp2std.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winlwsw.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winlwsw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winmgwpa.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winmgwpa.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winghbe.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winghbe.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\ucyrr.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\ucyrr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winjmpdcw.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winjmpdcw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winphbcs.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winphbcs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winxtvhle.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winxtvhle.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\gubnyw.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\gubnyw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winbjrlp.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winbjrlp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\tmaje.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\tmaje.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\wscntfy.exe"="C:\WINDOWS\system32\wscntfy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winrlkw.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winrlkw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\pyjv.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\pyjv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winimwqa.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winimwqa.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\dkab.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\dkab.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winhrloag.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winhrloag.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winymlo.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winymlo.exe:*:Enabled:ipsec"
"C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe"="C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\NOTEPAD.EXE"="C:\WINDOWS\system32\NOTEPAD.EXE:*:Enabled:ipsec"
"C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe"="C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe:*:Enabled:ipsec"
"C:\WINDOWS\RTHDCPL.EXE"="C:\WINDOWS\RTHDCPL.EXE:*:Enabled:ipsec"
"C:\WINDOWS\FixCamera.exe"="C:\WINDOWS\FixCamera.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winkjrt.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winkjrt.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winefenuo.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winefenuo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\w461b4.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\w461b4.exe:*:Enabled:ipsec"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\wincvyu.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\wincvyu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\spgret.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\spgret.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\w513be.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\w513be.exe:*:Enabled:ipsec"
"C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"="C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winmqifvq.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winmqifvq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winhlxdk.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winhlxdk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\w45cc2.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\w45cc2.exe:*:Enabled:ipsec"
"C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\krjufu.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\krjufu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\levq.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\levq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\lrmix.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\lrmix.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winqjscjq.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winqjscjq.exe:*:Enabled:ipsec"
"C:\Program Files\BitDefender\BitDefender 2009\bdwizreg.exe"="C:\Program Files\BitDefender\BitDefender 2009\bdwizreg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winukdxyv.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winukdxyv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winjybdcr.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winjybdcr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\wingduug.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\wingduug.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\xvbyps.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\xvbyps.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winpium.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winpium.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winfljrta.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winfljrta.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winuubp.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winuubp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\pfpprh.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\pfpprh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\pftjh.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\pftjh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winwweig.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winwweig.exe:*:Enabled:ipsec"
"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\wingpcy.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\wingpcy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winxeqkh.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winxeqkh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winrjbha.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winrjbha.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winccthwe.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winccthwe.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winhwqqam.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winhwqqam.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\fmtmva.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\fmtmva.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winhjlky.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winhjlky.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\ckfw.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\ckfw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\wincbnr.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\wincbnr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\windisnd.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\windisnd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winkqujxk.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winkqujxk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\yrhsyy.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\yrhsyy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winjfpbms.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winjfpbms.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\wingpqgwp.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\wingpqgwp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winoccg.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winoccg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winnkryxy.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winnkryxy.exe:*:Enabled:ipsec"
"C:\Documents and Settings\sundeep\Local Settings\Application Data\Google\Update\GoogleUpdate.exe"="C:\Documents and Settings\sundeep\Local Settings\Application Data\Google\Update\GoogleUpdate.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\vpdwp.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\vpdwp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winqbnej.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winqbnej.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\hyumjp.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\hyumjp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\bpdtsh.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\bpdtsh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winbjvws.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winbjvws.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winjqjwa.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winjqjwa.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\jqqpg.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\jqqpg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\dvfms.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\dvfms.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\tanfe.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\tanfe.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winvfguf.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winvfguf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\sundeep\LOCALS~1\Temp\winnnxer.exe"="C:\DOCUME~1\sundeep\LOCALS~1\Temp\winnnxer.exe:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{269193d6-7c28-11dd-8c19-bc3f18eb2e6b}]
shell\AutOpLaY\command - H:\dcxlj.pif
shell\AutoRun\command - H:\dcxlj.pif
shell\eXPlorE\command - H:\dcxlj.pif
shell\opeN\command - H:\dcxlj.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7546021d-80cd-11dd-8c29-a71d69cababe}]
shell\AuTOpLay\command - I:\lkikah.pif
shell\AutoRun\command - I:\lkikah.pif
shell\explORE\command - I:\lkikah.pif
shell\oPen\command - I:\lkikah.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4d40fae-baf5-11dd-8d2f-001b5756f3d9}]
shell\AutoRun\command - wscript.exe VirusRemoval.vbs
shell\open\command - wscript.exe VirusRemoval.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb3333ad-fb67-11dd-8e41-e6972354c4ef}]
shell\AutopLay\command - H:\xcbk.pif
shell\AutoRun\command - H:\xcbk.pif
shell\exPlore\command - H:\xcbk.pif
shell\opeN\command - H:\xcbk.pif


======List of files/folders created in the last 1 months======

2009-09-04 01:24:06 ----SHD---- C:\WINDOWS\Installer
2009-09-04 01:24:05 ----D---- C:\Program Files\Common Files\ODBC
2009-09-04 01:24:02 ----D---- C:\Program Files\Common Files\SpeechEngines
2009-09-04 01:24:01 ----RD---- C:\Program Files
2009-09-04 01:24:01 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-09-04 01:24:01 ----D---- C:\Program Files\Common Files
2009-09-04 01:23:28 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-04 01:23:28 ----D---- C:\WINDOWS\system32\CatRoot
2009-09-04 01:23:03 ----SHD---- C:\System Volume Information
2009-09-04 01:23:03 ----D---- C:\Documents and Settings
2009-09-04 01:22:07 ----RASH---- C:\boot.ini
2009-09-04 01:17:38 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-09-04 01:17:38 ----RSD---- C:\WINDOWS\Fonts
2009-09-04 01:17:38 ----RD---- C:\WINDOWS\Web
2009-09-04 01:17:38 ----HD---- C:\WINDOWS\inf
2009-09-04 01:17:38 ----D---- C:\WINDOWS\WinSxS
2009-09-04 01:17:38 ----D---- C:\WINDOWS\twain_32
2009-09-04 01:17:38 ----D---- C:\WINDOWS\Temp
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\wins
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\wbem
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\usmt
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\spool
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\ShellExt
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\Setup
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\ras
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\oobe
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\npp
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\mui
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\inetsrv
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\IME
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\icsxml
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\ias
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\export
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\drivers
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\dhcp
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\config
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\3com_dmi
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\3076
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\2052
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\1054
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\1042
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\1041
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\1037
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\1033
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\1031
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\1028
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32\1025
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system32
2009-09-04 01:17:38 ----D---- C:\WINDOWS\system
2009-09-04 01:17:38 ----D---- C:\WINDOWS\security
2009-09-04 01:17:38 ----D---- C:\WINDOWS\Resources
2009-09-04 01:17:38 ----D---- C:\WINDOWS\repair
2009-09-04 01:17:38 ----D---- C:\WINDOWS\Provisioning
2009-09-04 01:17:38 ----D---- C:\WINDOWS\PeerNet
2009-09-04 01:17:38 ----D---- C:\WINDOWS\pchealth
2009-09-04 01:17:38 ----D---- C:\WINDOWS\mui
2009-09-04 01:17:38 ----D---- C:\WINDOWS\msapps
2009-09-04 01:17:38 ----D---- C:\WINDOWS\msagent
2009-09-04 01:17:38 ----D---- C:\WINDOWS\Media
2009-09-04 01:17:38 ----D---- C:\WINDOWS\java
2009-09-04 01:17:38 ----D---- C:\WINDOWS\ime
2009-09-04 01:17:38 ----D---- C:\WINDOWS\Help
2009-09-04 01:17:38 ----D---- C:\WINDOWS\ehome
2009-09-04 01:17:38 ----D---- C:\WINDOWS\Driver Cache
2009-09-04 01:17:38 ----D---- C:\WINDOWS\Debug
2009-09-04 01:17:38 ----D---- C:\WINDOWS\Cursors
2009-09-04 01:17:38 ----D---- C:\WINDOWS\Connection Wizard
2009-09-04 01:17:38 ----D---- C:\WINDOWS\Config
2009-09-04 01:17:38 ----D---- C:\WINDOWS\AppPatch
2009-09-04 01:17:38 ----D---- C:\WINDOWS\addins
2009-09-04 01:17:38 ----D---- C:\WINDOWS
2009-09-03 21:56:21 ----D---- C:\WINDOWS\Motive
2009-09-03 21:56:13 ----D---- C:\Program Files\Common Files\bsnlLite
2009-09-03 21:56:13 ----D---- C:\Program Files\BSNL Lite
2009-09-03 21:55:37 ----SHD---- C:\RECYCLER
2009-09-03 21:49:19 ----D---- C:\Program Files\Common Files\Motive
2009-09-03 20:10:12 ----D---- C:\WINDOWS\system32\RTCOM
2009-09-03 20:09:51 ----HDC---- C:\WINDOWS\$NtUninstallKB888111WXPSP2$
2009-09-03 20:09:36 ----D---- C:\Program Files\Realtek
2009-09-03 20:09:35 ----HD---- C:\Program Files\InstallShield Installation Information
2009-09-03 20:09:26 ----D---- C:\Program Files\Common Files\InstallShield
2009-09-03 20:09:19 ----D---- C:\Program Files\MSXML 4.0
2009-09-03 20:08:47 ----D---- C:\TempEI4
2009-09-03 20:06:59 ----HD---- C:\Program Files\Uninstall Information
2009-09-03 20:06:24 ----D---- C:\WINDOWS\SoftwareDistribution
2009-09-03 20:06:22 ----D---- C:\WINDOWS\Prefetch
2009-09-03 20:06:21 ----SD---- C:\WINDOWS\system32\Microsoft
2009-09-03 20:03:23 ----D---- C:\WINDOWS\system32\xircom
2009-09-03 20:03:23 ----D---- C:\Program Files\xerox
2009-09-03 20:03:23 ----D---- C:\Program Files\microsoft frontpage
2009-09-03 20:02:24 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-09-03 20:02:24 ----RD---- C:\WINDOWS\Offline Web Pages
2009-09-03 20:02:17 ----HD---- C:\Program Files\WindowsUpdate
2009-09-03 20:02:01 ----D---- C:\WINDOWS\system32\DirectX
2009-09-03 20:01:32 ----D---- C:\Program Files\Common Files\Services
2009-09-03 20:01:30 ----SD---- C:\WINDOWS\Tasks
2009-09-03 20:01:29 ----D---- C:\Program Files\Common Files\MSSoap
2009-09-03 20:01:25 ----D---- C:\WINDOWS\srchasst
2009-09-03 20:01:24 ----D---- C:\WINDOWS\system32\Macromed
2009-09-03 20:01:16 ----D---- C:\Program Files\Movie Maker
2009-09-03 20:01:09 ----D---- C:\WINDOWS\system32\Restore
2009-09-03 20:01:05 ----D---- C:\Program Files\NetMeeting
2009-09-03 20:01:02 ----D---- C:\Program Files\Outlook Express
2009-09-03 20:00:56 ----D---- C:\Program Files\Common Files\System
2009-09-03 20:00:53 ----D---- C:\Program Files\Internet Explorer
2009-09-03 20:00:30 ----D---- C:\Program Files\ComPlus Applications
2009-09-03 20:00:25 ----D---- C:\WINDOWS\Registration
2009-09-03 20:00:19 ----D---- C:\Program Files\Windows Media Player
2009-09-03 20:00:19 ----D---- C:\Program Files\Online Services
2009-09-03 20:00:14 ----D---- C:\Program Files\Messenger
2009-09-03 20:00:10 ----D---- C:\Program Files\MSN Gaming Zone
2009-09-03 19:59:35 ----D---- C:\Program Files\MSN
2009-09-03 19:59:33 ----D---- C:\Program Files\Windows NT
2009-09-03 19:59:30 ----D---- C:\WINDOWS\system32\MsDtc
2009-09-03 19:59:28 ----D---- C:\WINDOWS\system32\Com
2009-03-01 02:51:32 ----D---- C:\Program Files\trend micro
2009-03-01 02:51:31 ----D---- C:\rsit
2009-02-27 22:33:48 ----D---- C:\Documents and Settings\sundeep\Application Data\Media Player Classic
2009-02-27 22:33:16 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2009-02-27 22:33:15 ----A---- C:\WINDOWS\system32\pndx5032.dll
2009-02-27 22:33:14 ----A---- C:\WINDOWS\system32\pndx5016.dll
2009-02-27 22:33:14 ----A---- C:\WINDOWS\system32\pncrt.dll
2009-02-27 22:33:13 ----A---- C:\WINDOWS\system32\unrar.dll
2009-02-27 22:33:10 ----A---- C:\WINDOWS\system32\yv12vfw.dll
2009-02-27 22:33:07 ----A---- C:\WINDOWS\system32\xvidvfw.dll
2009-02-27 22:33:07 ----A---- C:\WINDOWS\system32\xvidcore.dll
2009-02-27 22:33:04 ----A---- C:\WINDOWS\system32\qt-dx331.dll
2009-02-27 22:33:04 ----A---- C:\WINDOWS\system32\dpl100.dll
2009-02-27 22:33:04 ----A---- C:\WINDOWS\system32\divx.dll
2009-02-27 22:33:01 ----A---- C:\WINDOWS\system32\ff_vfw.dll.manifest
2009-02-27 22:33:01 ----A---- C:\WINDOWS\system32\ff_vfw.dll
2009-02-27 22:32:57 ----D---- C:\Program Files\K-Lite Codec Pack
2009-02-27 22:32:57 ----D---- C:\Documents and Settings\sundeep\Application Data\Real
2009-02-27 22:32:57 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Real
2009-02-22 18:26:34 ----D---- C:\Program Files\Prevx
2009-02-22 18:26:28 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\PrevxCSI
2009-02-22 18:26:27 ----A---- C:\WINDOWS\wininit.ini
2009-02-22 14:00:19 ----D---- C:\Downloads
2009-02-22 13:59:29 ----D---- C:\Documents and Settings\sundeep\Application Data\Free Download Manager
2009-02-22 13:59:24 ----D---- C:\Program Files\Free Download Manager
2009-02-22 13:59:24 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\FreeDownloadManager.ORG
2009-02-22 13:15:38 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2009-02-22 13:09:18 ----D---- C:\Program Files\McAfee.com
2009-02-22 13:09:13 ----D---- C:\Program Files\Common Files\McAfee
2009-02-22 13:09:04 ----D---- C:\Program Files\McAfee
2009-02-22 13:08:45 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2009-02-21 22:20:28 ----SHD---- C:\Config.Msi
2009-02-21 22:11:34 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2009-02-20 23:25:02 ----D---- C:\Documents and Settings\sundeep\Application Data\Bitdefender
2009-02-20 23:02:53 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\BitDefender
2009-02-20 23:01:19 ----D---- C:\Program Files\Common Files\BitDefender
2009-02-20 22:59:44 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-02-19 20:52:13 ----D---- C:\myRTVAULT
2009-02-15 02:25:08 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\81F
2009-02-08 12:14:05 ----D---- C:\Program Files\Undisker
2009-02-08 02:59:59 ----D---- C:\Program Files\Auto Shutdown

======List of files/folders modified in the last 1 months======

2009-02-28 14:01:47 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-27 22:29:50 ----A---- C:\WINDOWS\NeroDigital.ini
2009-02-22 15:33:44 ----A---- C:\WINDOWS\win.ini
2009-02-22 15:33:44 ----A---- C:\WINDOWS\system.ini
2009-02-20 22:53:10 ----D---- C:\Program Files\Unlocker
2009-02-20 22:49:00 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-02-20 22:41:12 ----D---- C:\WINDOWS\pss
2009-02-12 22:56:33 ----D---- C:\Documents and Settings\sundeep\Application Data\Adobe
2009-02-08 06:42:23 ----AD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-09-01 36096]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-09-01 60800]
R3 asc3360pr;asc3360pr; \??\C:\WINDOWS\system32\drivers\gnkmvn.sys []
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-06-15 4402176]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-09-01 61824]
R3 usb_rndis;Broadcom USB Remote NDIS Device Driver; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-09-01 12672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-09-01 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-09-01 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-09-01 20480]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys []
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2008-05-07 17536]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2008-05-07 20864]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD); C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-06-11 12178688]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2008-06-06 8064]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2004-08-03 25600]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CSIScanner;CSIScanner; C:\Program Files\Prevx\prevx.exe [2009-02-22 4150840]
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-09-01 15872]
R2 MsDtsServer;SQL Server Integration Services; C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
R2 msftesql;SQL Server FullText Search (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2005-08-26 92880]
R2 MSSQLSERVER;SQL Server (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]
R2 MSSQLServerOLAPService;SQL Server Analysis Services (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe [2005-10-14 14557912]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2005-10-14 14552]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-09-01 15872]
R2 SQLBrowser;SQL Server Browser; C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2005-10-14 239320]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-09-01 15872]
R2 WebTool;WebTool; C:\PROGRA~1\MI4F93~1\webtool.exe [2000-02-04 705024]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-10-04 142336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 135456]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 510768]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 218912]
S3 SQLSERVERAGENT;SQL Server Agent (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2005-10-14 396504]
S3 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2005-10-14 165592]
S4 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-10 601896]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 127192]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2877632]
S4 msvsmon90;Visual Studio 2008 Remote Debugger; C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2008-09-29 3341824]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-21 349480]

-----------------EOF-----------------

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:50 PM

Posted 28 February 2009 - 04:56 PM

Hi sundeep38

You can find both log files in your root directory (generally C:) under the folder path:
c:\rsit

Please post the info.txt once you find it.

Also, please note that my replies may take a while to post, since I am currently a member in training. Each of my fixes need to be approved by a coach, so please be patient :thumbup2:

Edited by aommaster, 28 February 2009 - 04:56 PM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 sundeep38

sundeep38
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 01 March 2009 - 04:29 AM

Thanks again. Below is the info.txt.

info.txt logfile of random's system information tool 1.05 2009-03-01 02:51:45

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Crystal Reports Basic for Visual Studio 2008-->MsiExec.exe /X{AA467959-A1D6-4F45-90CD-11DC57733F32}
Deep Zoom Composer-->MsiExec.exe /I{AC16E9D5-076A-4BEC-8A00-A1FD4B978411}
Download Accelerator Plus (DAP)-->C:\PROGRA~1\DAP\DAPREMOVE.EXE
Enterprise Library 4.1 - October 2008-->MsiExec.exe /I{45528AEA-4883-413E-ABB5-471AA26C20D8}
ExamDiff 1.7-->"C:\Program Files\ExamDiff\unins000.exe"
Free Download Manager 3.0-->"C:\Program Files\Free Download Manager\unins000.exe"
FRONTECH ECAM USB2.0 PC CAMERA-->C:\Program Files\InstallShield Installation Information\{75438C0E-9925-412E-AD85-D0E71C6CE2ED}\setup.exe -runfromtemp -l0x0009 -removeonly -u
Google Talk (remove only)-->"C:\Program Files\Google\Google Talk\uninstall.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Downloads\HiJackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Office (KB950278)-->msiexec /package {90120000-0021-0000-0000-0000000FF1CE} /uninstall {FED55BA1-5A70-44B4-8EB1-E72274AED780}
Hotfix for Office (KB950278)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {FED55BA1-5A70-44B4-8EB1-E72274AED780}
Internet Explorer Developer Toolbar-->MsiExec.exe /I{E7081891-BC7F-43F9-9CE6-B5DD2F497156}
iTunes-->MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
K-Lite Mega Codec Pack 3.3.0-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 Video Encoder-->MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash 8-->MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft ASP.NET 2.0 AJAX Extensions 1.0-->MsiExec.exe /X{082BDF7B-4810-4599-BF0D-E3AC44EC8524}
Microsoft ASP.NET 2.0 AJAX Templates for Visual Studio 2008-->MsiExec.exe /X{CC8B84F2-9878-11DC-8B4E-656655D89593}
Microsoft Device Emulator version 3.0 - ENU-->MsiExec.exe /X{B32E7732-B2FB-3FD0-81AC-6025B1104C66}
Microsoft Document Explorer 2008-->C:\Program Files\Common Files\Microsoft Shared\Help 9\Microsoft Document Explorer 2008\install.exe
Microsoft Document Explorer 2008-->MsiExec.exe /X{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}
Microsoft Expression Blend 2 Service Pack 1-->msiexec -qb /package {3891E1C9-8E9E-43E2-B009-6D008BCD7669} /uninstall {1B64B3D0-D0DB-4d99-B38D-B0D632A1780A}
Microsoft Expression Blend 2-->"C:\Program Files\Microsoft Expression\Blend 2\Setup\XSetup.exe" -x -AppLangId:1033 "-manifest:BlendManifest.cab" "-source:C:\Program Files\Microsoft Expression\Blend 2\Setup\;;"
Microsoft Expression Blend 2-->MsiExec.exe /I{3891E1C9-8E9E-43E2-B009-6D008BCD7669}
Microsoft Expression Design 2-->"C:\Program Files\Microsoft Expression\Design 2\Setup\XSetup.exe" -x -AppLangId:1033 "-manifest:DesignManifest.cab" "-source:C:\Program Files\Microsoft Expression\Design 2\Setup\;f:\8ab7a735f8d0d17d4a67dc\Setup\;f:\8ab7a735f8d0d17d4a67dc\Setup"
Microsoft Expression Design 2-->MsiExec.exe /X{C3498122-091E-4999-9EBE-7513FE904F6A}
Microsoft Expression Encoder 2-->"C:\Program Files\Microsoft Expression\Encoder 2\Setup\XSetup.exe" -x -AppLangId:1033 "-manifest:EncoderManifest.cab" "-source:C:\Program Files\Microsoft Expression\Encoder 2\Setup\;f:\8ab7a735f8d0d17d4a67dc\Setup\;f:\8ab7a735f8d0d17d4a67dc\Setup"
Microsoft Expression Encoder 2-->MsiExec.exe /X{6833995C-2FFD-4084-981A-001FF469146A}
Microsoft Expression Media 2-->MsiExec.exe /X{842CC0ED-FDC0-4FBF-8C09-2428BFE4FEE1}
Microsoft Expression Studio 2-->"C:\Program Files\Microsoft Expression\ExpressionStudio 2\Setup\XSetup.exe" -x -AppLangId:1033 "-manifest:ExpressionStudioManifest.cab" "-source:C:\Program Files\Microsoft Expression\ExpressionStudio 2\Setup\;f:\8ab7a735f8d0d17d4a67dc\Setup\;f:\8ab7a735f8d0d17d4a67dc\Setup"
Microsoft Expression Studio 2-->MsiExec.exe /X{88B743CB-F3E0-4456-AD08-40EE991EC28E}
Microsoft Expression Web 2 MUI (English)-->MsiExec.exe /X{90120000-0045-0409-0000-0000000FF1CE}
Microsoft Expression Web 2-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall XWEB /dll XSETUP.DLL
Microsoft Expression Web 2-->MsiExec.exe /X{90120000-0045-0000-0000-0000000FF1CE}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visual Web Developer 2007-->MsiExec.exe /X{90120000-0021-0000-0000-0000000FF1CE}
Microsoft Office Visual Web Developer MUI (English) 2007-->MsiExec.exe /X{90120000-0021-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight 2 SDK-->MsiExec.exe /X{370BBA05-01E7-4BCC-9B38-E85DB8E13E11}
Microsoft Silverlight Tools for Visual Studio 2008 SP1 - ENU-->MsiExec.exe /X{C536BAE4-69AD-4E27-9D87-74DDAD231B7B}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Analysis Services-->MsiExec.exe /I{7294FFFD-D5D2-4410-B818-EFD4F002DDA4}
Microsoft SQL Server 2005 Backward compatibility-->MsiExec.exe /I{96327C3C-96BE-4C7A-A6F7-A71635E5949A}
Microsoft SQL Server 2005 Books Online (English)-->MsiExec.exe /I{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}
Microsoft SQL Server 2005 Integration Services-->MsiExec.exe /I{FCE6F0D9-0888-4F8E-9C14-62F096CD8758}
Microsoft SQL Server 2005 Notification Services-->MsiExec.exe /I{40FB2E35-E9F3-491E-A4AA-666618310FAC}
Microsoft SQL Server 2005 Reporting Services-->MsiExec.exe /I{E7851F38-E3DC-4D94-AB72-FD527B95C4B7}
Microsoft SQL Server 2005 Tools-->MsiExec.exe /I{7085A287-2F7E-420C-B0D9-53AFA8341154}
Microsoft SQL Server 2005-->"C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005-->MsiExec.exe /I{28B22773-100E-4AF2-A1C9-2F2EA8A35844}
Microsoft SQL Server 2008 Management Objects-->MsiExec.exe /I{F5E87B12-3C27-452F-8E78-21D42164FD83}
Microsoft SQL Server Compact 3.5 for Devices ENU-->MsiExec.exe /I{241F2BF7-69EB-42A4-9156-96B2426C7504}
Microsoft SQL Server Compact 3.5 SP1 Design Tools English-->MsiExec.exe /X{0C19D563-5F25-4621-BF10-01F741BD283F}
Microsoft SQL Server Compact 3.5 SP1 English-->MsiExec.exe /I{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}
Microsoft SQL Server Database Publishing Wizard 1.3-->MsiExec.exe /I{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}
Microsoft SQL Server Native Client-->MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{1CBE3804-20DF-48DA-B048-895C206E80A5}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Studio 2005 Premier Partner Edition - ENU-->MsiExec.exe /I{C25EF637-BE7A-4761-9B45-9069989C319F}
Microsoft Visual Studio 2005 Tools for Office Runtime-->MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
Microsoft Visual Studio 2008 Professional Edition - ENU Service Pack 1 (KB945140)-->C:\WINDOWS\system32\msiexec.exe /package {D7DAD1E4-45F4-3B2B-899A-EA728167EC4F} /uninstall {8CA89076-2A6D-42C3-AA24-F203C9E5DBF3} /qb+ REBOOTPROMPT=""
Microsoft Visual Studio 2008 Professional Edition - ENU-->C:\Program Files\Microsoft Visual Studio 9.0\Microsoft Visual Studio 2008 Professional Edition - ENU\setup.exe
Microsoft Visual Studio Web Authoring Component-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISUALWEBDEVELOPER /dll OSETUP.DLL
Microsoft Web Application Stress Tool-->C:\PROGRA~1\MI4F93~1\UNWISE.EXE C:\PROGRA~1\MI4F93~1\INSTALL.LOG
Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools - enu-->MsiExec.exe /X{05EC21B8-4593-3037-A781-A6B5AFFCB19D}
Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense-->MsiExec.exe /X{64c5b887-b5ee-42b8-8596-78905a6b5f1f}
Microsoft Windows SDK for Visual Studio 2008 SP1 Tools-->MsiExec.exe /X{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}
Mozilla Firefox (2.0.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDN Library for Visual Studio 2008 - ENU-->C:\Program Files\MSDN\MSDN9.0\MSDN Library for Visual Studio 2008 - ENU\setup.exe
MSDN Library for Visual Studio 2008 - ENU-->MsiExec.exe /X{3A762A82-618D-3CAA-B847-D074ABFA0B2E}
MSVC80_x86-->MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 6.0 Parser (KB927977)-->MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
MyGeneration 1.3 (remove only)-->"C:\Program Files\MyGeneration13\uninstall.exe"
Nero 7 Essentials-->MsiExec.exe /X{8EEA03C8-D820-411C-AB0C-9DD5EFAD1033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Nokia Connectivity Cable Driver-->MsiExec.exe /X{C3F19A5F-35A8-4FDB-A6ED-0F4CE398DA48}
Paint.NET v3.31-->MsiExec.exe /X{51AFB69C-1C54-4C77-A888-2860F8CD3E7D}
Prevx CSI-->"C:\Program Files\Prevx\prevx.exe" /prop UNINSTALL=Y
QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
SQL Server System CLR Types-->MsiExec.exe /I{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}
SQLXML4-->MsiExec.exe /I{8C62A94B-4AB6-485F-A111-93056684D340}
Update for Microsoft Visual Studio 2008 Professional Edition - ENU (KB956453)-->C:\WINDOWS\system32\msiexec.exe /package {D7DAD1E4-45F4-3B2B-899A-EA728167EC4F} /uninstall {821BDF82-18A2-4A16-95F5-00EF84779DDD} /qb+ REBOOTPROMPT=""
Update for Microsoft Visual Studio Web Authoring Component (KB945140)-->msiexec /package {90120000-0021-0000-0000-0000000FF1CE} /uninstall {F9DE79A2-9049-4589-9787-815147371581}
Visual C++ 2008 IA64 Runtime - (v9.0.30729)-->MsiExec.exe /X{22E23C71-C27A-3F30-8849-BB6129E50679}
Visual C++ 2008 IA64 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {22E23C71-C27A-3F30-8849-BB6129E50679} /qb+ REBOOTPROMPT=""
Visual C++ 2008 x64 Runtime - (v9.0.30729)-->MsiExec.exe /X{0DF3AE91-E533-3960-8516-B23737F8B7A2}
Visual C++ 2008 x64 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {0DF3AE91-E533-3960-8516-B23737F8B7A2} /qb+ REBOOTPROMPT=""
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Visual Studio 2005 Tools for Office Second Edition Runtime-->C:\Program Files\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)-->C:\WINDOWS\system32\msiexec.exe /package {8FB53850-246A-3507-8ADE-0060093FFEA6} /uninstall {1AF8622B-42B6-472C-A634-487025BD7B38} /qb+ REBOOTPROMPT=""
Visual Studio Tools for the Office system 3.0 Runtime-->C:\Program Files\Common Files\Microsoft Shared\VSTO\9.0\Visual Studio Tools for the Office system 3.0 Runtime\install.exe
Visual Studio Tools for the Office system 3.0 Runtime-->MsiExec.exe /X{8FB53850-246A-3507-8ADE-0060093FFEA6}
Windows Driver Package - Nokia Modem (05/22/2008 3.8)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_6F90B0F4A73A2F780A1010B5D6CB5DDFB098181E\nokia_bluetooth.inf
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Mobile 5.0 SDK R2 for Pocket PC-->MsiExec.exe /I{6C9F6D23-E9AD-43C9-B43A-011562AAF876}
Windows Mobile 5.0 SDK R2 for Smartphone-->MsiExec.exe /I{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Security center information======

FW: COMODO Firewall Pro

System event log

Computer Name: SUNNY
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the running state.

Record Number: 14227
Source Name: Service Control Manager
Time Written: 20090204182826.000000+330
Event Type: information
User:

Computer Name: SUNNY
Event Code: 7035
Message: The SSDP Discovery Service service was successfully sent a start control.

Record Number: 14226
Source Name: Service Control Manager
Time Written: 20090204182826.000000+330
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: SUNNY
Event Code: 7035
Message: The IMAPI CD-Burning COM Service service was successfully sent a start control.

Record Number: 14225
Source Name: Service Control Manager
Time Written: 20090204182826.000000+330
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: SUNNY
Event Code: 7036
Message: The NMIndexingService service entered the running state.

Record Number: 14224
Source Name: Service Control Manager
Time Written: 20090204182826.000000+330
Event Type: information
User:

Computer Name: SUNNY
Event Code: 7035
Message: The NMIndexingService service was successfully sent a start control.

Record Number: 14223
Source Name: Service Control Manager
Time Written: 20090204182826.000000+330
Event Type: information
User: NT AUTHORITY\SYSTEM

Application event log

Computer Name: SUNNY
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 16817
Source Name: SecurityCenter
Time Written: 20090216154121.000000+330
Event Type: information
User:

Computer Name: SUNNY
Event Code: 17
Message: The SQLBrowser is enabling Analysis Services discovery support.

Record Number: 16816
Source Name: SQLBrowser
Time Written: 20090216154121.000000+330
Event Type: information
User:

Computer Name: SUNNY
Event Code: 12
Message: The SQLBrowser service has started.

Record Number: 16815
Source Name: SQLBrowser
Time Written: 20090216154121.000000+330
Event Type: information
User:

Computer Name: SUNNY
Event Code: 5
Message: The flight recorder was started.
Record Number: 16814
Source Name: MSSQLServerOLAPService
Time Written: 20090216154121.000000+330
Event Type: information
User:

Computer Name: SUNNY
Event Code: 17137
Message: Starting up database 'master'.

Record Number: 16813
Source Name: MSSQLSERVER
Time Written: 20090216154121.000000+330
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\;C:\Program Files\Common Files\Adobe\AGL
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=1706
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
"VS90COMNTOOLS"=C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\
"lib"=C:\Program Files\SQLXML 4.0\bin\

-----------------EOF-----------------

#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:50 PM

Posted 01 March 2009 - 11:56 AM

Hello, sundeep38.
Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 sundeep38

sundeep38
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 01 March 2009 - 01:49 PM

hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:08 AM, on 3/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MI4F93~1\webtool.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\DOCUME~1\sundeep\LOCALS~1\Temp\nfxstw.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
F:\Antivirus\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe

--
End of file - 2127 bytes




ComboFix Log




ComboFix 09-02-28.01 - sundeep 2009-03-01 23:56:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2028.1419 [GMT 5.5:30]
Running from: c:\documents and settings\sundeep\Desktop\ComboFix.exe
FW: COMODO Firewall Pro *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-27 22:33 . 2009-02-27 22:33 <DIR> d-------- c:\documents and settings\sundeep\Application Data\Media Player Classic
2009-02-22 18:26 . 2009-03-01 23:48 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\PrevxCSI
2009-02-22 13:59 . 2009-03-02 00:00 <DIR> d-------- c:\documents and settings\sundeep\Application Data\Free Download Manager
2009-02-22 13:59 . 2009-02-22 13:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\FreeDownloadManager.ORG
2009-02-22 13:08 . 2009-02-22 13:10 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2009-02-21 22:11 . 2009-02-21 22:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avg7
2009-02-20 23:25 . 2009-02-21 22:20 <DIR> d-------- c:\documents and settings\sundeep\Application Data\Bitdefender
2009-02-20 23:02 . 2009-02-20 23:04 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\BitDefender
2009-02-15 02:25 . 2009-02-15 02:25 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\81F

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 16:26 --------- d-----w c:\program files\Common Files\bsnlLite
2009-09-03 16:19 --------- d-----w c:\program files\Common Files\Motive
2009-09-03 14:39 --------- d-----w c:\program files\MSXML 4.0
2009-09-03 14:33 --------- d-----w c:\program files\microsoft frontpage
2009-03-01 07:30 --------- d-----w c:\program files\trend micro
2009-02-27 17:03 --------- d-----w c:\program files\K-Lite Codec Pack
2009-02-22 12:56 22,536 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-02-22 12:56 --------- d-----w c:\program files\Prevx
2009-02-22 08:29 --------- d-----w c:\program files\Free Download Manager
2009-02-22 07:40 --------- d-----w c:\program files\McAfee
2009-02-22 07:39 --------- d-----w c:\program files\McAfee.com
2009-02-22 07:39 --------- d-----w c:\program files\Common Files\McAfee
2009-02-21 16:46 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-21 16:46 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-21 16:46 147,488 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-02-21 16:46 1,584 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-02-20 19:35 --------- d-----w c:\program files\Common Files\BitDefender
2009-02-20 17:23 --------- d-----w c:\program files\Unlocker
2009-02-08 06:44 --------- d-----w c:\program files\Undisker
2009-02-08 01:12 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-02-07 21:29 --------- d-----w c:\program files\Auto Shutdown
2009-01-18 10:20 --------- d-----w c:\documents and settings\sundeep\Application Data\Expression Media 2
2009-01-18 10:18 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-01-18 10:11 --------- d-----w c:\program files\Microsoft Expression
2009-01-18 10:07 --------- d-----w c:\program files\Common Files\Nikon
2009-01-14 09:31 --------- d-----w c:\program files\Microsoft Web Application Stress Tool
2009-01-10 18:20 --------- d-----w c:\program files\Microsoft
2007-03-12 09:01 66,672 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-03-12 09:01 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-12 09:01 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-03-12 09:01 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-03-12 09:01 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2004-09-01 09:30 359040 7b11118b078b88f87183fe69eda43137 c:\windows\system32\drivers\tcpip.sys

2004-09-01 09:30 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-09-01 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^DriveGuard.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\DriveGuard.lnk
backup=c:\windows\pss\DriveGuard.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-21 15:43 226600 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bsnlLiteTrayApp]
--a--c--- 2007-09-13 14:16 988672 c:\program files\BSNL Lite\bin\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-09-01 09:30 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2008-09-05 23:32 4450056 c:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
--a------ 2007-07-11 16:09 20480 c:\windows\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3817472 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2006-10-27 00:47 112936 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-07-10 10:51 358696 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1741312 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2007-06-11 08:44 230960 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 487424 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2007-05-10 16:58 425984 c:\windows\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2007-05-10 17:05 344064 c:\windows\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-09-19 17:34 4625648 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=
"c:\\WINDOWS\\ALCMTR.EXE"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\vsnp2std.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\WINDOWS\\FixCamera.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\sundeep\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE"=
"c:\\Program Files\\Prevx\\prevx.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\AcroRd32.exe"=
"c:\\PROGRA~1\\FREEDO~1\\fdm.exe"=
"c:\\WINDOWS\\system32\\CF31990.exe"=
"c:\\DOCUME~1\\sundeep\\LOCALS~1\\Temp\\nfxstw.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-22 22536]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-02-22 4150840]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2005-10-14 14552]
R2 WebTool;WebTool;c:\progra~1\MI4F93~1\webtool.exe [2009-01-14 705024]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2877632]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASC3360PR

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{269193d6-7c28-11dd-8c19-bc3f18eb2e6b}]
\SHEll\AutOpLaY\COMmAnd - H:\dcxlj.pif
\SHEll\AutoRun\command - H:\dcxlj.pif
\SHEll\eXPlorE\commaNd - H:\dcxlj.pif
\SHEll\opeN\cOmmANd - H:\dcxlj.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7546021d-80cd-11dd-8c29-a71d69cababe}]
\sHell\AuTOpLay\comMAnd - I:\lkikah.pif
\sHell\AutoRun\command - I:\lkikah.pif
\sHell\explORE\COmmaNd - I:\lkikah.pif
\sHell\oPen\COmMAnd - I:\lkikah.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4d40fae-baf5-11dd-8d2f-001b5756f3d9}]
\Shell\AutoRun\command - wscript.exe VirusRemoval.vbs
\Shell\open\Command - wscript.exe VirusRemoval.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb3333ad-fb67-11dd-8e41-e6972354c4ef}]
\sHEll\AutopLay\commAND - H:\xcbk.pif
\sHEll\AutoRun\command - H:\xcbk.pif
\sHEll\exPlore\cOMmAnd - H:\xcbk.pif
\sHEll\opeN\cOmmANd - H:\xcbk.pif

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1EC04D97-5F10-DD1B-0306-020403060503}]
c:\windows\system32\SecSystem.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1078081533-682003330-1003.job
- c:\documents and settings\sundeep\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-28 00:51]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-0029581235290909mcinstcleanup - c:\docume~1\sundeep\LOCALS~1\Temp\002958~1.EXE
MSConfigStartUp-HotKeysCmds - c:\windows\system32\hkcmd.exe
MSConfigStartUp-IgfxTray - c:\windows\system32\igfxtray.exe
MSConfigStartUp-Persistence - c:\windows\system32\igfxpers.exe
MSConfigStartUp-RecoverFromReboot - c:\windows\Temp\RecoverFromReboot.exe
MSConfigStartUp-RRT-Auto - c:\documents and settings\sundeep\Desktop\RRT\RRT.exe
MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\sundeep\Application Data\Mozilla\Firefox\Profiles\5slzf6s4.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 00:03:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\inetsrv\davcdata.exe
c:\docume~1\sundeep\LOCALS~1\Temp\nfxstw.exe
.
**************************************************************************
.
Completion time: 2009-03-02 0:12:15 - machine was rebooted [sundeep]
ComboFix-quarantined-files.txt 2009-03-01 18:42:13

Pre-Run: 26,226,077,696 bytes free
Post-Run: 27,784,069,120 bytes free

237

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:50 PM

Posted 01 March 2009 - 02:53 PM

Hi sundeep38

Please generate me a hijackthis log after you ran combofix. (If that was the log you got after Combofix, let me know)

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 sundeep38

sundeep38
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 01 March 2009 - 03:35 PM

hi aommaster,

Yes thats my Hijackthis log after I ran combofix.

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:50 PM

Posted 02 March 2009 - 01:32 PM

Hello, sundeep38.
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NEXT:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

KILLALL::

FILE::
c:\DOCUME~1\sundeep\\LOCALS~1\Temp\nfxstw.exe
H:\dcxlj.pif
I:\lkikah.pif
C:\Windows\System32\VirusRemoval.vbs
c:\windows\system32\SecSystem.exe

REGISTRY::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
"DisableRegedit"=-
[HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\CF31990.exe"=-
"c:\\DOCUME~1\\sundeep\\LOCALS~1\\Temp\\nfxstw.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{269193d6-7c28-11dd-8c19-bc3f18eb2e6b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7546021d-80cd-11dd-8c29-a71d69cababe}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4d40fae-baf5-11dd-8d2f-001b5756f3d9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb3333ad-fb67-11dd-8e41-e6972354c4ef}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1EC04D97-5F10-DD1B-0306-020403060503}]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 sundeep38

sundeep38
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 05 March 2009 - 02:19 PM

Sorry for replying late.

Following are the observations while performing the above said actions:

1. I have downloaded ATF-Cleaner.exe and tried to run the file. I am able to see the Application User Interface just for fraction of seconds and its shutting down without me able to check the option (Select All). Somehow, I managed it by instantly running it as the window opens, it had given a popup saying "ATF-Cleaner.exe has cleaned....." kind of message.

2. After that I draged the text file on combofix.exe.

3. One improvement after doing all this stuff is now I able to just see the 'task manager' link enabled, when I right click on the task bar. But the problem is when I click on it, task manager opens and within fraction of seconds it disappears.

Here is my latest combofix and hijackthis logs:

ComboFix

ComboFix 09-02-28.01 - sundeep 2009-03-06 0:21:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2028.1529 [GMT 5.5:30]
Running from: c:\documents and settings\sundeep\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sundeep\Desktop\CFScript.txt
FW: COMODO Firewall Pro *enabled*
* Created a new restore point

FILE ::
c:\docume~1\sundeep\\LOCALS~1\Temp\nfxstw.exe
c:\windows\system32\SecSystem.exe
c:\windows\System32\VirusRemoval.vbs
H:\dcxlj.pif
I:\lkikah.pif
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\SecSystem.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr


((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-02-27 22:33 . 2009-02-27 22:33 <DIR> d-------- c:\documents and settings\sundeep\Application Data\Media Player Classic
2009-02-22 18:26 . 2009-03-02 01:02 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\PrevxCSI
2009-02-22 13:59 . 2009-03-06 00:20 <DIR> d-------- c:\documents and settings\sundeep\Application Data\Free Download Manager
2009-02-22 13:59 . 2009-02-22 13:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\FreeDownloadManager.ORG
2009-02-22 13:08 . 2009-02-22 13:10 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2009-02-21 22:11 . 2009-02-21 22:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avg7
2009-02-20 23:25 . 2009-02-21 22:20 <DIR> d-------- c:\documents and settings\sundeep\Application Data\Bitdefender
2009-02-20 23:02 . 2009-02-20 23:04 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\BitDefender
2009-02-15 02:25 . 2009-02-15 02:25 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\81F

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 16:26 --------- d-----w c:\program files\Common Files\bsnlLite
2009-09-03 16:19 --------- d-----w c:\program files\Common Files\Motive
2009-09-03 14:39 --------- d-----w c:\program files\MSXML 4.0
2009-09-03 14:33 --------- d-----w c:\program files\microsoft frontpage
2009-03-01 07:30 --------- d-----w c:\program files\trend micro
2009-02-27 17:03 --------- d-----w c:\program files\K-Lite Codec Pack
2009-02-22 12:56 22,536 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-02-22 12:56 --------- d-----w c:\program files\Prevx
2009-02-22 08:29 --------- d-----w c:\program files\Free Download Manager
2009-02-22 07:40 --------- d-----w c:\program files\McAfee
2009-02-22 07:39 --------- d-----w c:\program files\McAfee.com
2009-02-22 07:39 --------- d-----w c:\program files\Common Files\McAfee
2009-02-21 16:46 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-21 16:46 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-21 16:46 147,488 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-02-21 16:46 1,584 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-02-20 19:35 --------- d-----w c:\program files\Common Files\BitDefender
2009-02-20 17:23 --------- d-----w c:\program files\Unlocker
2009-02-08 06:44 --------- d-----w c:\program files\Undisker
2009-02-08 01:12 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-02-07 21:29 --------- d-----w c:\program files\Auto Shutdown
2009-01-18 10:20 --------- d-----w c:\documents and settings\sundeep\Application Data\Expression Media 2
2009-01-18 10:18 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-01-18 10:11 --------- d-----w c:\program files\Microsoft Expression
2009-01-18 10:07 --------- d-----w c:\program files\Common Files\Nikon
2009-01-14 09:31 --------- d-----w c:\program files\Microsoft Web Application Stress Tool
2009-01-10 18:20 --------- d-----w c:\program files\Microsoft
2007-03-12 09:01 66,672 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-03-12 09:01 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-12 09:01 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-03-12 09:01 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-03-12 09:01 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2004-09-01 09:30 359040 7b11118b078b88f87183fe69eda43137 c:\windows\system32\drivers\tcpip.sys

2004-09-01 09:30 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-03-02_ 0.09.31.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-01 18:34:01 268,745 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-05 19:02:06 268,749 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2008-10-05 03:24:04 235,936 -c--a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-10-05 03:24:04 313,760 -c--a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-03-05 19:01:27 10,240 ----a-w c:\windows\temp\aajgan.exe
+ 2009-03-05 18:58:30 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2bc.dat
+ 2009-03-05 19:01:37 10,240 ----a-w c:\windows\temp\winjheu.exe
+ 2009-03-05 19:01:24 7,680 ----a-w c:\windows\temp\winrpcok.exe
+ 2009-03-05 19:01:33 10,240 ----a-w c:\windows\temp\winsswtv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-09-01 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1741312]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^DriveGuard.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\DriveGuard.lnk
backup=c:\windows\pss\DriveGuard.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-21 15:43 226600 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bsnlLiteTrayApp]
--a--c--- 2007-09-13 14:16 988672 c:\program files\BSNL Lite\bin\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-09-01 09:30 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2008-09-05 23:32 4450056 c:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
--a------ 2007-07-11 16:09 20480 c:\windows\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3817472 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2006-10-27 00:47 112936 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-07-10 10:51 358696 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1741312 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2007-06-11 08:44 230960 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 487424 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2007-05-10 16:58 425984 c:\windows\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2007-05-10 17:05 344064 c:\windows\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-09-19 17:34 4625648 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=
"c:\\WINDOWS\\ALCMTR.EXE"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\vsnp2std.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\WINDOWS\\FixCamera.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\sundeep\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE"=
"c:\\Program Files\\Prevx\\prevx.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\AcroRd32.exe"=
"c:\\PROGRA~1\\FREEDO~1\\fdm.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\CF18390.exe"=
"c:\\WINDOWS\\TEMP\\aajgan.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-22 22536]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-02-22 4224568]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2005-10-14 14552]
R2 WebTool;WebTool;c:\progra~1\MI4F93~1\webtool.exe [2009-01-14 705024]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2877632]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASC3360PR
.
Contents of the 'Scheduled Tasks' folder

2009-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1078081533-682003330-1003.job
- c:\documents and settings\sundeep\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-28 00:51]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\sundeep\Application Data\Mozilla\Firefox\Profiles\5slzf6s4.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 00:29:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\windows\system32\wscntfy.exe
c:\windows\temp\aajgan.exe
.
**************************************************************************
.
Completion time: 2009-03-06 0:36:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 19:06:37
ComboFix2.txt 2009-03-01 18:42:16

Pre-Run: 26,518,646,784 bytes free
Post-Run: 26,316,636,160 bytes free

228



Hijack


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:49 AM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MI4F93~1\webtool.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\TEMP\aajgan.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Antivirus\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe

--
End of file - 2112 bytes

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:50 PM

Posted 07 March 2009 - 09:11 PM

Hello, sundeep38.
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.
Physically disconnect your computer from your modem/router.
If your computer is running, shut down Windows, then turn the power off.
Wait 30 seconds, turn the computer on, and begin tapping the F8 key (if this doesn't work try the F5 key).
The Windows Advanced Options Menu will appear.
Select Safe Mode using the up/down arrow keys then press Enter.
Log on with an account that has administrator privileges, usually your own account.
Do NOT log on using the account named Administrator.
If you cannot boot into safe mode using this method, it is important that you let me know.
Do not attempt to boot into Safe Mode using MSCONFIG or any other method.
Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NEXT:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

KILLALL::

COLLECT::
c:\windows\temp\aajgan.exe

FILE::
c:\windows\temp\Perflib_Perfdata_2bc.dat
c:\windows\temp\winjheu.exe
c:\windows\temp\winrpcok.exe
c:\windows\temp\winsswtv.exe

DRIVER::
ASC3360PR

REGISTRY::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= -
"DisableRegistryTools"= -
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\CF18390.exe"=-
"c:\\WINDOWS\\TEMP\\aajgan.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NEXT:
Restart your computer in normal mode

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log
  • gmer.txt


Important: Please ensure that you rename HijackThis before generating the log. Rename the main executable located at C:\Program Files\Trend Micro\HijackThis to anything, such as your name, etc.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 sundeep38

sundeep38
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 08 March 2009 - 11:19 AM

Hi,

I failed in the first step itself. As I said before when I press F8 and use safe mode option to logon to windows, computer is getting restarted instantly and getting started normally.

Thanks,
Sundeep.

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:50 PM

Posted 08 March 2009 - 11:30 AM

Hi sundeep38

Okay, in that case, please carry out those instructions in normal mode. However, I do expect you will have trouble running ATF Cleaner (you may have the same problem that the window may open and then close). If that is the case, please proceed to the combofix script and then the GMER scan.

Let me know how to it works out.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 sundeep38

sundeep38
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 08 March 2009 - 03:26 PM

Hello,

Please find the attached files.

Thanks,
Sundeep.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users