Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cannot access email websites, tsk mgr, registry disabled-Help!!!


  • This topic is locked This topic is locked
17 replies to this topic

#1 arpu31

arpu31

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 18 April 2009 - 12:02 PM

Below are the Hijack this logs..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:14 PM, on 4/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Arpit\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Machine Debug Manager] C:\WINDOWS\system32\MDM.EXE
O4 - HKLM\..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [winmgmt] C:\WINDOWS\system32\wmiprvse.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [PolicyRun] C:\WINDOWS\system32\spoolsv32.exe
O4 - HKUS\S-1-5-21-187776914-1291631752-3644101738-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-187776914-1291631752-3644101738-1006\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" (User '?')
O4 - HKUS\S-1-5-21-187776914-1291631752-3644101738-1006\..\Run: [winmgmt] C:\WINDOWS\system32\wmiprvse.exe (User '?')
O4 - HKUS\S-1-5-21-187776914-1291631752-3644101738-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Program Files\Xilisoft\Download YouTube Video\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Cake%20Mania/Images/stg_drm.ocx
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Cake%20Mania/Images/armhelper.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12030 bytes

BC AdBot (Login to Remove)

 


#2 arpu31

arpu31
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 18 April 2009 - 12:59 PM

attached are my DDS logs...

Attached Files



#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:47 AM

Posted 19 April 2009 - 11:38 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Also post a new log from DDS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 arpu31

arpu31
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 21 April 2009 - 07:29 PM

Appreciate your reply...

I followd the stpes you mentioned...MBM showed three isues and showed that task manager and registry is disabled...but it did not delete it since i cannot access it yet. Also, I cannot run lot of programs and cannot install new programs...when I close IE, I see some iedmsg.dll application error everytime...

Attached are all the logs...

DDS (Ver_09-03-16.01) - NTFSx86
Run by Arpit at 20:16:58.79 on Tue 04/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [winmgmt] c:\windows\system32\wmiprvse.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Machine Debug Manager] c:\windows\system32\MDM.EXE
mRun: [KeyAccess] c:\windows\keyacc32.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mExplorerRun: [PolicyRun] c:\windows\system32\spoolsv32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: Download with Xilisoft Download YouTube Video - c:\program files\xilisoft\download youtube video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\free download manager\fum\fumiebtn.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Cake%20Mania/Images/stg_drm.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - hxxp://download.sopcast.com/download/SOPCORE.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} - hxxp://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Cake%20Mania/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-18 11:42 161,792 a------- c:\windows\SWREG.exe
2009-04-18 11:42 98,816 a------- c:\windows\sed.exe
2009-04-18 11:42 <DIR> --d----- C:\ComboFix
2009-04-18 11:42 470,528 a------- c:\windows\system32\CF9656.exe
2009-04-02 14:14 16,244 a------- c:\windows\system32\rrt_is.wav
2009-04-02 14:14 7,302 a------- c:\windows\system32\rrt_vf.wav
2009-04-02 14:14 7,148 a------- c:\windows\system32\rrt_tv.wav
2009-04-02 14:14 6,282 a------- c:\windows\system32\rrt_tn.wav

==================== Find3M ====================

2009-03-04 19:39 61,440 a------- c:\windows\system32\drivers\jykztcox.sys
2009-03-04 19:31 61,440 a------- c:\windows\system32\drivers\dcdmt.sys
2008-11-21 23:28 24,192 a------- c:\documents and settings\arpit\usbsermptxp.sys
2008-11-21 23:28 22,768 a------- c:\documents and settings\arpit\usbsermpt.sys
2008-07-01 15:34 5,000,000 a------- c:\documents and settings\arpit\down_5M.zip
2008-07-01 14:40 3,000,000 a------- c:\documents and settings\arpit\down_3M.zip
2008-07-01 14:24 3,011,100 a------- c:\documents and settings\arpit\up_3M.zip
2008-07-01 11:10 1,000,000 a------- c:\documents and settings\arpit\down_1M.zip
2008-06-26 19:51 10,000,000 a------- c:\documents and settings\arpit\down_10M.zip
2008-06-26 19:08 2,000,000 a------- c:\documents and settings\arpit\down_2M.zip
2008-06-26 15:25 500,000 a------- c:\documents and settings\arpit\down_500k.zip
2008-06-25 17:49 1,000,000 a------- c:\documents and settings\arpit\up_1M.zip
2008-05-22 22:01 0 a------- c:\documents and settings\arpit\doen_5M.zip
2008-05-22 17:35 5,000,000 a------- c:\documents and settings\arpit\up_5M.zip
2008-05-22 15:50 500,000 a------- c:\documents and settings\arpit\up_500k.zip
2008-05-21 17:35 2,007,400 a------- c:\documents and settings\arpit\up_2M.zip
2005-10-22 00:57 56 ---shr-- c:\windows\system32\FCC0B1D40A.sys
2004-08-03 20:56 88,440 a--shr-- c:\windows\system32\mgrShell.exe
2007-09-08 20:21 282,624 ---sh--- c:\windows\system32\_windows.exe

============= FINISH: 20:17:10.91 ===============



Malwarebytes' Anti-Malware 1.34
Database version: 2015
Windows 5.1.2600 Service Pack 2

4/21/2009 7:52:48 PM
mbam-log-2009-04-21 (19-52-48).txt

Scan type: Quick Scan
Objects scanned: 89794
Time elapsed: 10 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files


Edited by Buckeye_Sam, 22 April 2009 - 10:21 AM.
added logs


#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:47 AM

Posted 22 April 2009 - 10:25 AM

I see you have Combofix already from a few days ago. Let's get rid of that one and make sure we have the most up to date version.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image




Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 arpu31

arpu31
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 24 April 2009 - 08:37 PM

HI SAM.. I ran the combofix as per your instructions...After it completed rebooting it gave some errors showing the 'Registry has been disabled by the administrator'. Below are the logs/...


ComboFix 09-04-25.03 - Arpit 04/24/2009 21:11.3 - NTFSx86
Running from: c:\documents and settings\Arpit\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-02 18:14 . 2009-04-02 18:14 7302 ----a-w c:\windows\system32\rrt_vf.wav
2009-04-02 18:14 . 2009-04-02 18:14 7148 ----a-w c:\windows\system32\rrt_tv.wav
2009-04-02 18:14 . 2009-04-02 18:14 6282 ----a-w c:\windows\system32\rrt_tn.wav
2009-04-02 18:14 . 2009-04-02 18:14 16244 ----a-w c:\windows\system32\rrt_is.wav

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 15:56 . 2007-11-17 00:53 -------- d-----w c:\documents and settings\Arpit\Application Data\Free Download Manager
2009-04-17 18:21 . 2005-07-24 05:14 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-26 19:23 . 2005-08-27 20:05 -------- d-----w c:\program files\Google
2009-03-04 23:39 . 2009-03-04 23:39 61440 ----a-w c:\windows\system32\drivers\jykztcox.sys
2009-03-04 23:39 . 2009-03-04 23:39 172 ----a-w C:\eivntpxj.txt
2009-03-04 23:31 . 2009-03-04 23:31 61440 ----a-w c:\windows\system32\drivers\dcdmt.sys
2009-03-04 22:39 . 2009-03-04 22:39 -------- d-----w c:\documents and settings\Arpit\Application Data\Malwarebytes
2009-03-04 22:39 . 2009-03-04 22:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-04 22:39 . 2009-03-04 22:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-26 00:23 . 2005-08-20 04:16 -------- d-----w c:\program files\Winamp
2008-11-22 03:28 . 2008-11-22 03:28 24192 ----a-w c:\documents and settings\Arpit\usbsermptxp.sys
2008-11-22 03:28 . 2008-11-22 03:28 22768 ----a-w c:\documents and settings\Arpit\usbsermpt.sys
2008-07-01 19:34 . 2008-05-22 21:25 5000000 ----a-w c:\documents and settings\Arpit\down_5M.zip
2008-07-01 18:40 . 2008-05-22 16:55 3000000 ----a-w c:\documents and settings\Arpit\down_3M.zip
2008-07-01 18:24 . 2008-07-01 18:21 3011100 ----a-w c:\documents and settings\Arpit\up_3M.zip
2008-07-01 15:10 . 2008-05-22 19:27 1000000 ----a-w c:\documents and settings\Arpit\down_1M.zip
2008-06-26 23:51 . 2008-06-25 22:56 10000000 ----a-w c:\documents and settings\Arpit\down_10M.zip
2008-06-26 23:08 . 2008-05-21 21:37 2000000 ----a-w c:\documents and settings\Arpit\down_2M.zip
2008-06-26 19:25 . 2008-06-26 16:26 500000 ----a-w c:\documents and settings\Arpit\down_500k.zip
2008-06-25 21:49 . 2008-05-23 14:06 1000000 ----a-w c:\documents and settings\Arpit\up_1M.zip
2008-05-23 02:01 . 2008-05-23 02:01 0 ----a-w c:\documents and settings\Arpit\doen_5M.zip
2008-05-22 21:35 . 2008-05-22 21:35 5000000 ----a-w c:\documents and settings\Arpit\up_5M.zip
2008-05-22 19:50 . 2008-05-22 19:50 500000 ----a-w c:\documents and settings\Arpit\up_500k.zip
2008-05-21 21:35 . 2008-05-21 21:35 2007400 ----a-w c:\documents and settings\Arpit\up_2M.zip
2008-02-06 05:13 . 2005-09-01 20:41 65192 ----a-w c:\documents and settings\Arpit\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-09-05 15:43 . 2005-09-05 15:43 128 ----a-w c:\documents and settings\Arpit\Local Settings\Application Data\fusioncache.dat
2005-10-22 04:57 . 2005-08-30 12:35 56 --sh--r c:\windows\system32\FCC0B1D40A.sys
2004-08-04 00:56 . 2008-04-26 18:00 88440 --sha-r c:\windows\system32\mgrShell.exe
2007-09-09 00:21 . 2008-10-01 03:42 282624 --sh--w c:\windows\system32\_windows.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=KATRACK.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WIRED Login.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WIRED Login.lnk
backup=c:\windows\pss\WIRED Login.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\PROGRA~1\\COMMON~1\\SYMANT~1\\SCRIPT~1\\SBServ.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=

R3 M1000Srv;M5603C USB2.0 Camera Driver;c:\windows\system32\Drivers\M1000KNT.sys [2004-06-16 443211]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys [2007-08-18 29952]
R3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys [2007-08-18 41856]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys [2007-08-18 39936]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys [2007-08-18 59520]
R3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\system32\DRIVERS\qcmdmxp.sys [2006-12-27 92800]
R3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\system32\DRIVERS\qcserxp.sys [2006-12-27 92800]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - WINIO
*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - Arp1394
*Deregistered* - AudioSrv
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - drvnddm
*Deregistered* - dsunidrv
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - EvtEng
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fax
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - IntelIde
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - IWCA
*Deregistered* - KodakCCS
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - LVPrcMon
*Deregistered* - LVPrcSrv
*Deregistered* - LVUSBSta
*Deregistered* - matlabserver
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PrismXL
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RegSrvc
*Deregistered* - RpcSs
*Deregistered* - S24EventMonitor
*Deregistered* - s24trans
*Deregistered* - SamSs
*Deregistered* - SAVRTPEL
*Deregistered* - SBService
*Deregistered* - Schedule
*Deregistered* - ScsiAccess
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - SYMDNS
*Deregistered* - SymEvent
*Deregistered* - SYMFW
*Deregistered* - SYMIDS
*Deregistered* - SYMIDSCO
*Deregistered* - SYMNDIS
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - WINIO
*Deregistered* - winmgmt
*Deregistered* - WLANKEEPER
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78a0b8ba-f065-11dd-bc17-0013ce2012aa}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78a0b8bb-f065-11dd-bc17-0013ce2012aa}]
\Shell\Auto\command - F:\windows.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL windows.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7abadf30-2e8a-11de-b4d4-0013ce2012aa}]
\Shell\AutoRun\command - F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c7ea5b2-453e-11dd-bbab-0013ce2012aa}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aee874a0-c7c4-11dc-bb38-0013ce2012aa}]
\Shell\AutoRun\command - scvhosts.exe
\Shell\Open\command - scvhosts.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3649e90-b877-11dd-bc06-0013ce2012aa}]
\Shell\Auto\command - E:\windows.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL windows.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6c5bfab-8d2f-11db-babe-0013ce2012aa}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6c5bfac-8d2f-11db-babe-0013ce2012aa}]
\Shell\Auto\command - G:\windows.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL windows.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-04-25 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Mansi.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-03-15 19:47]

2009-04-24 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-07-24 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Download with Xilisoft Download YouTube Video - c:\program files\Xilisoft\Download YouTube Video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\Free Download Manager\FUM\fumiebtn.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 21:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1116)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(5888)
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\spoolsv32.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
c:\windows\system32\dla\tfswctrl.exe
c:\program files\Common Files\InstallShield\UpdateService\issch.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxpers.exe
c:\windows\keyacc32.exe
c:\program files\Java\jre1.6.0_03\bin\jusched.exe
c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\matlab6p5\webserver\bin\win32\matlabserver.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\matlab6p5\bin\win32\matlab.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\ScsiAccess.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-25 21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 01:29

Pre-Run: 3,968,380,928 bytes free
Post-Run: 3,944,517,632 bytes free

348

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:47 AM

Posted 25 April 2009 - 08:31 AM

What is this?

C:\eivntpxj.txt

Can you copy the text from this file and post it here?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 arpu31

arpu31
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 25 April 2009 - 11:44 PM

The text in that file is


Files to delete:
C:\WINDOWS\system32\wmiprvse.exe
C:\WINDOWS\system32\wmiprvse.exe

Thanks!

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:47 AM

Posted 26 April 2009 - 10:49 AM

Do you have any idea where that file came from?


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
G:\windows.exe
E:\windows.exe
F:\windows.exe
c:\windows\system32\mgrShell.exe
c:\windows\system32\_windows.exe
c:\windows\system32\drivers\jykztcox.sys
c:\windows\system32\drivers\dcdmt.sys

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6c5bfac-8d2f-11db-babe-0013ce2012aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3649e90-b877-11dd-bc06-0013ce2012aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aee874a0-c7c4-11dc-bb38-0013ce2012aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78a0b8bb-f065-11dd-bc17-0013ce2012aa}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0
"DisableRegistryTools"=0
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 arpu31

arpu31
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 26 April 2009 - 11:28 PM

I am not sure where that file came from..... also...still no difference on the laptop...still comes up with the message that Registry is disabled by the admin' several times/// Below are the logs...

ComboFix 09-04-25.03 - Arpit 04/26/2009 22:45.4 - NTFSx86
Running from: c:\documents and settings\Arpit\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Arpit\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\_windows.exe
c:\windows\system32\drivers\dcdmt.sys
c:\windows\system32\drivers\jykztcox.sys
c:\windows\system32\mgrShell.exe
E:\windows.exe
F:\windows.exe
G:\windows.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_windows.exe
c:\windows\system32\drivers\dcdmt.sys
c:\windows\system32\drivers\jykztcox.sys
c:\windows\system32\mgrShell.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-02 18:14 . 2009-04-02 18:14 7302 ----a-w c:\windows\system32\rrt_vf.wav
2009-04-02 18:14 . 2009-04-02 18:14 7148 ----a-w c:\windows\system32\rrt_tv.wav
2009-04-02 18:14 . 2009-04-02 18:14 6282 ----a-w c:\windows\system32\rrt_tn.wav
2009-04-02 18:14 . 2009-04-02 18:14 16244 ----a-w c:\windows\system32\rrt_is.wav

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 15:56 . 2007-11-17 00:53 -------- d-----w c:\documents and settings\Arpit\Application Data\Free Download Manager
2009-04-17 18:21 . 2005-07-24 05:14 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-26 19:23 . 2005-08-27 20:05 -------- d-----w c:\program files\Google
2009-03-04 23:39 . 2009-03-04 23:39 172 ----a-w C:\eivntpxj.txt
2009-03-04 22:39 . 2009-03-04 22:39 -------- d-----w c:\documents and settings\Arpit\Application Data\Malwarebytes
2009-03-04 22:39 . 2009-03-04 22:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-04 22:39 . 2009-03-04 22:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 03:28 . 2008-11-22 03:28 24192 ----a-w c:\documents and settings\Arpit\usbsermptxp.sys
2008-11-22 03:28 . 2008-11-22 03:28 22768 ----a-w c:\documents and settings\Arpit\usbsermpt.sys
2008-07-01 19:34 . 2008-05-22 21:25 5000000 ----a-w c:\documents and settings\Arpit\down_5M.zip
2008-07-01 18:40 . 2008-05-22 16:55 3000000 ----a-w c:\documents and settings\Arpit\down_3M.zip
2008-07-01 18:24 . 2008-07-01 18:21 3011100 ----a-w c:\documents and settings\Arpit\up_3M.zip
2008-07-01 15:10 . 2008-05-22 19:27 1000000 ----a-w c:\documents and settings\Arpit\down_1M.zip
2008-06-26 23:51 . 2008-06-25 22:56 10000000 ----a-w c:\documents and settings\Arpit\down_10M.zip
2008-06-26 23:08 . 2008-05-21 21:37 2000000 ----a-w c:\documents and settings\Arpit\down_2M.zip
2008-06-26 19:25 . 2008-06-26 16:26 500000 ----a-w c:\documents and settings\Arpit\down_500k.zip
2008-06-25 21:49 . 2008-05-23 14:06 1000000 ----a-w c:\documents and settings\Arpit\up_1M.zip
2008-05-23 02:01 . 2008-05-23 02:01 0 ----a-w c:\documents and settings\Arpit\doen_5M.zip
2008-05-22 21:35 . 2008-05-22 21:35 5000000 ----a-w c:\documents and settings\Arpit\up_5M.zip
2008-05-22 19:50 . 2008-05-22 19:50 500000 ----a-w c:\documents and settings\Arpit\up_500k.zip
2008-05-21 21:35 . 2008-05-21 21:35 2007400 ----a-w c:\documents and settings\Arpit\up_2M.zip
2008-02-06 05:13 . 2005-09-01 20:41 65192 ----a-w c:\documents and settings\Arpit\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-09-05 15:43 . 2005-09-05 15:43 128 ----a-w c:\documents and settings\Arpit\Local Settings\Application Data\fusioncache.dat
2005-10-22 04:57 . 2005-08-30 12:35 56 --sh--r c:\windows\system32\FCC0B1D40A.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=KATRACK.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WIRED Login.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WIRED Login.lnk
backup=c:\windows\pss\WIRED Login.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\PROGRA~1\\COMMON~1\\SYMANT~1\\SCRIPT~1\\SBServ.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=

R3 M1000Srv;M5603C USB2.0 Camera Driver;c:\windows\system32\Drivers\M1000KNT.sys [2004-06-16 443211]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys [2007-08-18 29952]
R3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys [2007-08-18 41856]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys [2007-08-18 39936]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys [2007-08-18 59520]
R3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\system32\DRIVERS\qcmdmxp.sys [2006-12-27 92800]
R3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\system32\DRIVERS\qcserxp.sys [2006-12-27 92800]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - WINIO
*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - Arp1394
*Deregistered* - AudioSrv
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - drvnddm
*Deregistered* - dsunidrv
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - EvtEng
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fax
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - IntelIde
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - IWCA
*Deregistered* - KodakCCS
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - LVPrcMon
*Deregistered* - LVPrcSrv
*Deregistered* - LVUSBSta
*Deregistered* - matlabserver
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PrismXL
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RegSrvc
*Deregistered* - RpcSs
*Deregistered* - S24EventMonitor
*Deregistered* - s24trans
*Deregistered* - SamSs
*Deregistered* - SAVRTPEL
*Deregistered* - SBService
*Deregistered* - Schedule
*Deregistered* - ScsiAccess
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - SYMDNS
*Deregistered* - SymEvent
*Deregistered* - SYMFW
*Deregistered* - SYMIDS
*Deregistered* - SYMIDSCO
*Deregistered* - SYMNDIS
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - WINIO
*Deregistered* - winmgmt
*Deregistered* - WLANKEEPER
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78a0b8ba-f065-11dd-bc17-0013ce2012aa}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7abadf30-2e8a-11de-b4d4-0013ce2012aa}]
\Shell\AutoRun\command - F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c7ea5b2-453e-11dd-bbab-0013ce2012aa}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6c5bfab-8d2f-11db-babe-0013ce2012aa}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-04-25 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Mansi.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-03-15 19:47]

2009-04-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-07-24 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Download with Xilisoft Download YouTube Video - c:\program files\Xilisoft\Download YouTube Video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\Free Download Manager\FUM\fumiebtn.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 22:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(6736)
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\browselc.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
c:\program files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\matlab6p5\webserver\bin\win32\matlabserver.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\matlab6p5\bin\win32\matlab.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\ScsiAccess.EXE
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\spoolsv32.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
c:\windows\system32\dla\tfswctrl.exe
c:\program files\Common Files\InstallShield\UpdateService\issch.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxpers.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\keyacc32.exe
c:\program files\Java\jre1.6.0_03\bin\jusched.exe
c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\progra~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-27 23:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 03:04
ComboFix2.txt 2009-04-25 01:29

Pre-Run: 2,496,077,824 bytes free
Post-Run: 2,151,448,576 bytes free

354


Thanks!!

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:47 AM

Posted 27 April 2009 - 05:11 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 arpu31

arpu31
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 28 April 2009 - 08:40 PM

still the same...cannot open registry and emials///

mComboFix 09-04-25.03 - Arpit 04/28/2009 21:16.5 - NTFSx86
Running from: c:\documents and settings\Arpit\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Arpit\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-02 18:14 . 2009-04-02 18:14 7302 ----a-w c:\windows\system32\rrt_vf.wav
2009-04-02 18:14 . 2009-04-02 18:14 7148 ----a-w c:\windows\system32\rrt_tv.wav
2009-04-02 18:14 . 2009-04-02 18:14 6282 ----a-w c:\windows\system32\rrt_tn.wav
2009-04-02 18:14 . 2009-04-02 18:14 16244 ----a-w c:\windows\system32\rrt_is.wav

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 15:56 . 2007-11-17 00:53 -------- d-----w c:\documents and settings\Arpit\Application Data\Free Download Manager
2009-04-17 18:21 . 2005-07-24 05:14 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-26 19:23 . 2005-08-27 20:05 -------- d-----w c:\program files\Google
2009-03-04 23:39 . 2009-03-04 23:39 172 ----a-w C:\eivntpxj.txt
2009-03-04 22:39 . 2009-03-04 22:39 -------- d-----w c:\documents and settings\Arpit\Application Data\Malwarebytes
2009-03-04 22:39 . 2009-03-04 22:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-04 22:39 . 2009-03-04 22:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 03:28 . 2008-11-22 03:28 24192 ----a-w c:\documents and settings\Arpit\usbsermptxp.sys
2008-11-22 03:28 . 2008-11-22 03:28 22768 ----a-w c:\documents and settings\Arpit\usbsermpt.sys
2008-07-01 19:34 . 2008-05-22 21:25 5000000 ----a-w c:\documents and settings\Arpit\down_5M.zip
2008-07-01 18:40 . 2008-05-22 16:55 3000000 ----a-w c:\documents and settings\Arpit\down_3M.zip
2008-07-01 18:24 . 2008-07-01 18:21 3011100 ----a-w c:\documents and settings\Arpit\up_3M.zip
2008-07-01 15:10 . 2008-05-22 19:27 1000000 ----a-w c:\documents and settings\Arpit\down_1M.zip
2008-06-26 23:51 . 2008-06-25 22:56 10000000 ----a-w c:\documents and settings\Arpit\down_10M.zip
2008-06-26 23:08 . 2008-05-21 21:37 2000000 ----a-w c:\documents and settings\Arpit\down_2M.zip
2008-06-26 19:25 . 2008-06-26 16:26 500000 ----a-w c:\documents and settings\Arpit\down_500k.zip
2008-06-25 21:49 . 2008-05-23 14:06 1000000 ----a-w c:\documents and settings\Arpit\up_1M.zip
2008-05-23 02:01 . 2008-05-23 02:01 0 ----a-w c:\documents and settings\Arpit\doen_5M.zip
2008-05-22 21:35 . 2008-05-22 21:35 5000000 ----a-w c:\documents and settings\Arpit\up_5M.zip
2008-05-22 19:50 . 2008-05-22 19:50 500000 ----a-w c:\documents and settings\Arpit\up_500k.zip
2008-05-21 21:35 . 2008-05-21 21:35 2007400 ----a-w c:\documents and settings\Arpit\up_2M.zip
2008-02-06 05:13 . 2005-09-01 20:41 65192 ----a-w c:\documents and settings\Arpit\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-09-05 15:43 . 2005-09-05 15:43 128 ----a-w c:\documents and settings\Arpit\Local Settings\Application Data\fusioncache.dat
2005-10-22 04:57 . 2005-08-30 12:35 56 --sh--r c:\windows\system32\FCC0B1D40A.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=KATRACK.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WIRED Login.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WIRED Login.lnk
backup=c:\windows\pss\WIRED Login.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\PROGRA~1\\COMMON~1\\SYMANT~1\\SCRIPT~1\\SBServ.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=

R3 M1000Srv;M5603C USB2.0 Camera Driver;c:\windows\system32\Drivers\M1000KNT.sys [2004-06-16 443211]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys [2007-08-18 29952]
R3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys [2007-08-18 41856]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys [2007-08-18 39936]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys [2007-08-18 59520]
R3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\system32\DRIVERS\qcmdmxp.sys [2006-12-27 92800]
R3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\system32\DRIVERS\qcserxp.sys [2006-12-27 92800]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - WINIO
*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - Arp1394
*Deregistered* - AudioSrv
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - drvnddm
*Deregistered* - dsunidrv
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - EvtEng
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fax
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - IntelIde
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - IWCA
*Deregistered* - KodakCCS
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - LVPrcMon
*Deregistered* - LVPrcSrv
*Deregistered* - LVUSBSta
*Deregistered* - matlabserver
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PrismXL
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RegSrvc
*Deregistered* - RpcSs
*Deregistered* - S24EventMonitor
*Deregistered* - s24trans
*Deregistered* - SamSs
*Deregistered* - SAVRTPEL
*Deregistered* - SBService
*Deregistered* - Schedule
*Deregistered* - ScsiAccess
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - SYMDNS
*Deregistered* - SymEvent
*Deregistered* - SYMFW
*Deregistered* - SYMIDS
*Deregistered* - SYMIDSCO
*Deregistered* - SYMNDIS
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - WINIO
*Deregistered* - winmgmt
*Deregistered* - WLANKEEPER
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78a0b8ba-f065-11dd-bc17-0013ce2012aa}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7abadf30-2e8a-11de-b4d4-0013ce2012aa}]
\Shell\AutoRun\command - F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c7ea5b2-453e-11dd-bbab-0013ce2012aa}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6c5bfab-8d2f-11db-babe-0013ce2012aa}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-04-25 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Mansi.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-03-15 19:47]

2009-04-28 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-07-24 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Download with Xilisoft Download YouTube Video - c:\program files\Xilisoft\Download YouTube Video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\Free Download Manager\FUM\fumiebtn.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 21:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(6952)
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
c:\program files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\matlab6p5\webserver\bin\win32\matlabserver.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\matlab6p5\bin\win32\matlab.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\ScsiAccess.EXE
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\spoolsv32.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\system32\dla\tfswctrl.exe
c:\program files\Common Files\InstallShield\UpdateService\issch.exe
c:\program files\Common Files\Symantec Shared\CCAPP.EXE
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxpers.exe
c:\windows\keyacc32.exe
c:\program files\Java\jre1.6.0_03\bin\jusched.exe
c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Internet Explorer\iexplore.exe
c:\progra~1\SPYWAR~1\swdoctor.exe
c:\windows\system32\notepad.exe
.
**************************************************************************
.
Completion time: 2009-04-29 21:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 01:38
ComboFix2.txt 2009-04-27 03:05
ComboFix3.txt 2009-04-25 01:29

Pre-Run: 2,760,040,448 bytes free
Post-Run: 2,655,772,672 bytes free

346

thanks!!

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:47 AM

Posted 29 April 2009 - 01:57 PM

Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 arpu31

arpu31
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 02 May 2009 - 09:10 PM

Hi,

While I Click on 'Start Scanning', it comes up with the License Agreement which I need to accept. But the the 'Accept' option for license agreement is disabled.. How do I get it to enable?

Thanks!

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:47 AM

Posted 03 May 2009 - 10:49 AM

First make sure the active-x control installs. You may see a yellow info across the top of the window if it hasn't installed yet.
Then just scroll down to the bottom of the license agreement and the Accept should be available to you.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users