Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Analyze Combofix.txt


  • This topic is locked This topic is locked
13 replies to this topic

#1 udai

udai

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 29 April 2009 - 02:54 PM

Hi,
I had some problem with google redirect. i got some help with gooredfix, but it only works once. every time i boot(restart) my laptop the problem is back.
so i ran combofix.
here is the output file combofix.txt . Can anyone please analyze the problem


ComboFix 09-04-29.01 - UDAY 04/29/2009 14:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.1010 [GMT -4:00]
Running from: c:\documents and settings\UDAY\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
FW: *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\protect.dll
c:\documents and settings\UDAY\protect.dll
c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\__c0099959.dat
c:\windows\system32\ak1.exe
c:\windows\system32\autochk.dll
c:\windows\system32\bin
c:\windows\system32\bin\appletviewer.exe
c:\windows\system32\bin\apt.exe
c:\windows\system32\bin\beanreg.dll
c:\windows\system32\bin\extcheck.exe
c:\windows\system32\bin\HtmlConverter.exe
c:\windows\system32\bin\idlj.exe
c:\windows\system32\bin\jar.exe
c:\windows\system32\bin\jarsigner.exe
c:\windows\system32\bin\java.exe
c:\windows\system32\bin\javac.exe
c:\windows\system32\bin\javadoc.exe
c:\windows\system32\bin\javah.exe
c:\windows\system32\bin\javap.exe
c:\windows\system32\bin\javaw.exe
c:\windows\system32\bin\javaws.exe
c:\windows\system32\bin\jconsole.exe
c:\windows\system32\bin\jdb.exe
c:\windows\system32\bin\jps.exe
c:\windows\system32\bin\jstat.exe
c:\windows\system32\bin\jstatd.exe
c:\windows\system32\bin\keytool.exe
c:\windows\system32\bin\kinit.exe
c:\windows\system32\bin\klist.exe
c:\windows\system32\bin\ktab.exe
c:\windows\system32\bin\native2ascii.exe
c:\windows\system32\bin\orbd.exe
c:\windows\system32\bin\pack200.exe
c:\windows\system32\bin\packager.exe
c:\windows\system32\bin\policytool.exe
c:\windows\system32\bin\rmic.exe
c:\windows\system32\bin\rmid.exe
c:\windows\system32\bin\rmiregistry.exe
c:\windows\system32\bin\serialver.exe
c:\windows\system32\bin\servertool.exe
c:\windows\system32\bin\tnameserv.exe
c:\windows\system32\bin\unpack200.exe
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\loader266.exe
c:\windows\system32\loader49.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\MPG4C32.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\winglsetup.exe
c:\windows\Tasks\At1.job
C:\xcrashdump.dat
c:\windows\system32\cvwjvqz.dll . . . . failed to delete
c:\windows\system32\rntuoxog.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_ORZVMKDY
-------\Service_orzvmkdy


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 18:18 . 2009-04-29 18:18 -------- d-----w c:\documents and settings\UDAY\Application Data\ddwotmtq
2009-04-29 18:18 . 2009-04-29 18:18 -------- d-----w c:\documents and settings\UDAY\Local Settings\Application Data\ddwotmtq
2009-04-29 16:45 . 2009-04-29 16:45 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-29 15:02 . 2009-04-29 18:21 -------- d-----w c:\program files\Lavasoft
2009-04-29 13:50 . 2009-04-29 13:52 -------- dc-h--w c:\windows\ie8
2009-04-28 17:36 . 2009-04-28 17:36 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ddwotmtq
2009-04-28 13:46 . 2009-04-28 13:46 -------- d-----w c:\program files\innoheim
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-22 14:24 . 2009-04-22 14:24 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-15 17:49 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:49 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 17:49 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:49 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 17:49 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:49 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 17:49 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:49 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:49 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:49 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:48 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 17:48 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-01 01:22 . 2009-04-01 01:22 -------- d-sh--w c:\documents and settings\UDAY\IECompatCache
2009-04-01 01:21 . 2009-04-01 01:21 -------- d-sh--w c:\documents and settings\UDAY\PrivacIE
2009-04-01 01:18 . 2009-04-01 01:18 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-01 01:16 . 2009-04-01 01:16 -------- d-sh--w c:\documents and settings\UDAY\IETldCache
2009-04-01 01:14 . 2009-04-27 15:03 -------- d-----w c:\windows\ie8updates
2009-04-01 01:06 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 18:54 . 2004-08-10 18:51 143872 ----a-w c:\windows\system32\rntuoxog.dll
2009-04-29 18:54 . 2004-08-10 18:51 104448 ----a-w c:\windows\system32\yutlekx.dll
2009-04-29 16:40 . 2006-07-27 14:45 -------- d-----w c:\program files\DivX
2009-04-29 16:23 . 2009-03-10 13:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-29 15:02 . 2007-07-17 02:38 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-28 13:46 . 2006-03-31 18:27 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 21:23 . 2006-03-31 18:41 -------- d-----w c:\program files\Google
2009-03-08 08:34 . 2004-08-10 18:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-10 18:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-10 18:50 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-10 18:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-10 18:50 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-10 18:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-10 18:51 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-10 18:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-10 18:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-10 18:51 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 15:44 . 2008-01-23 15:53 256 ----a-w c:\windows\system32\pool.bin
2009-03-06 14:22 . 2004-08-10 18:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-08-10 18:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 18:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 18:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 18:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-10 18:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2004-08-04 04:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-10 18:51 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-10 18:51 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 18:51 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-10 18:51 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01DDF974-2A2C-4F5D-88C2-B92ED65F7079}]
2009-04-29 18:54 143872 ----a-w c:\windows\system32\rntuoxog.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1760EABF-26C9-4100-A7A8-3D2AB14F1F16}]
2004-08-04 11:00 104448 ----a-w c:\windows\system32\cvwjvqz.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-03-07 3558136]
"cdloader"="c:\documents and settings\UDAY\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"Google Update"="c:\documents and settings\UDAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-03 133104]
"autochk"="c:\docume~1\UDAY\protect.dll" [2009-04-29 24064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-09 180269]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"autochk"="c:\windows\system32\autochk.dll" [2009-04-29 24064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"="c:\windows\system32\config\SYSTEM~1\protect.dll" [2009-04-29 24064]

c:\documents and settings\UDAY\Start Menu\Programs\Startup\
ChkDisk.dll [2009-4-29 24064]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2004-8-10 33280]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
backup=c:\windows\pss\BlackBerry Desktop Redirector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplogon.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Documents and Settings\\UDAY\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Documents and Settings\\UDAY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\UDAY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\UDAY\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8080:TCP"= 8080:TCP:tomcat

R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711); [x]
R1 vcdrom;Virtual CD-ROM Device Driver; [x]
R2 DriverX;DriverX; [x]
R3 VM30xx86;Vimicro USB PC Camera (ZC0301); [x]
S0 wrvsjbfx;wrvsjbfx;c:\windows\system32\drivers\wrvsjbfx.sys [2004-08-04 23424]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1603ec9e-00a3-11de-b0c5-0016ce1f87a1}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a5c37dd-6ff4-11dd-afe2-0016ce1f87a1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bc3feec-f0db-11dd-b0b1-0016ce1f87a1}]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\phone\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40cd516a-984c-11dc-add7-0014229f9a62}]
\Shell\AutoRun\command - e:\truecrypt\TrueCrypt.exe /q background /e /m rm /v "TrueCrypt Vol 1 - DO NOT DELETE"
\Shell\dismount\command - e:\truecrypt\TrueCrypt.exe /q /d
\Shell\start\command - e:\truecrypt\TrueCrypt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{524cf106-7e09-11dd-aff8-0016ce1f87a1}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b188bc-d246-11dd-b085-0016ce1f87a1}]
\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bda3afa-77d0-11dd-aff0-0016ce1f87a1}]
\Shell\AutoRun\command - E:\WDSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3012315782-3780978459-2933525636-1006.job
- c:\documents and settings\UDAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-03 19:33]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\tqwwojhzfu.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\996566630.exe
HKU-Default-Run-A00F2FCF4.exe - c:\windows\TEMP\_A00F2FCF4.exe
Notify-__c0099959 - c:\windows\system32\__c0099959.dat
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
DPF: {8EB4A251-D29C-4F3F-85DE-1C0BB71F0305} - hxxp://www.drm-x.com/download/p2pclient.cab
DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - hxxp://iptv.zgzcw.com/pCastCtl_1.0.0.89_20080808.cab
FF - ProfilePath - c:\documents and settings\UDAY\Application Data\Mozilla\Firefox\Profiles\j8afzej3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\UDAY\Application Data\Mozilla\Firefox\Profiles\j8afzej3.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\UDAY\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\UDAY\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 15:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxrpcdrwul.sys 81408 bytes executable
c:\windows\system32\ovfsthxbodpalkr.dat 76863 bytes
c:\windows\system32\lmppcsetup.exe 27648 bytes executable
c:\windows\system32\ovfsthxirjwqqob.dat 43 bytes
c:\windows\system32\ovfsthxjwswwupx.dll 18432 bytes executable
c:\windows\system32\ovfsthxmxfglkdm.dll 18432 bytes executable
c:\windows\system32\ovfsthxtfqpppih.dll 59904 bytes executable
c:\windows\system32\autochk.dll 24064 bytes executable

scan completed successfully
hidden files: 8

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3436)
c:\windows\TEMP\msb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\Mctray.exe
.
**************************************************************************
.
Completion time: 2009-04-29 15:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 19:03

Pre-Run: 46,232,948,736 bytes free
Post-Run: 47,171,682,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

345 --- E O F --- 2009-04-29 15:35

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 April 2009 - 07:12 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

NetSvc::
vvdsvc
Driver::
wrvsjbfx
vvdsvc 

Rootkit::
c:\windows\system32\rntuoxog.dll
c:\windows\system32\yutlekx.dll
c:\windows\system32\drivers\ovfsthxrpcdrwul.sys
c:\windows\system32\ovfsthxbodpalkr.dat
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\ovfsthxirjwqqob.dat
c:\windows\system32\ovfsthxjwswwupx.dll
c:\windows\system32\ovfsthxmxfglkdm.dll
c:\windows\system32\ovfsthxtfqpppih.dll
c:\windows\system32\autochk.dll

File::
c:\windows\system32\rntuoxog.dll
c:\windows\system32\cvwjvqz.dll
c:\documents and settings\UDAY\protect.dll
c:\windows\system32\autochk.dll
c:\windows\system32\config\SYSTEM~1\protect.dll
c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\drivers\wrvsjbfx.sys

Folder::
c:\documents and settings\UDAY\Application Data\ddwotmtq
c:\documents and settings\UDAY\Local Settings\Application Data\ddwotmtq

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01DDF974-2A2C-4F5D-88C2-B92ED65F7079}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1760EABF-26C9-4100-A7A8-3D2AB14F1F16}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autochk"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autochk"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40cd516a-984c-11dc-add7-0014229f9a62}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 udai

udai
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 April 2009 - 09:34 AM

Thanks fenzodahl512 for your kind help in solving my problem.

Here are the following logs and txt file which you asked

combofix.txt

ComboFix 09-04-29.07 - UDAY 04/30/2009 10:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.803 [GMT -4:00]
Running from: c:\documents and settings\UDAY\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\UDAY\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
FW: *disabled*

FILE ::
c:\documents and settings\UDAY\protect.dll
c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\autochk.dll
c:\windows\system32\config\SYSTEM~1\protect.dll
c:\windows\system32\cvwjvqz.dll
c:\windows\system32\drivers\wrvsjbfx.sys
c:\windows\system32\rntuoxog.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\UDAY\Application Data\ddwotmtq
c:\documents and settings\UDAY\Application Data\ddwotmtq\profiles.ini
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\cert8.db
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\compatibility.ini
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\compreg.dat
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\cookies.sqlite
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\formhistory.sqlite
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\key3.db
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\localstore.rdf
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\permissions.sqlite
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\places.sqlite
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\pluginreg.dat
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\prefs.js
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\secmod.db
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\webappsstore.sqlite
c:\documents and settings\UDAY\Application Data\ddwotmtq\Profiles\xrmyblng.default\xpti.dat
c:\documents and settings\UDAY\Local Settings\Application Data\ddwotmtq
c:\documents and settings\UDAY\Local Settings\Application Data\ddwotmtq\Profiles\xrmyblng.default\urlclassifier3.sqlite
c:\documents and settings\UDAY\Local Settings\Application Data\ddwotmtq\Profiles\xrmyblng.default\XPC.mfl
c:\documents and settings\UDAY\protect.dll
c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\autochk.dll
c:\windows\system32\config\SYSTEM~1\protect.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\cvwjvqz.dll
c:\windows\system32\drivers\ovfsthxrpcdrwul.sys
c:\windows\system32\drivers\wrvsjbfx.sys
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\ovfsthxbodpalkr.dat
c:\windows\system32\ovfsthxirjwqqob.dat
c:\windows\system32\ovfsthxjwswwupx.dll
c:\windows\system32\ovfsthxmxfglkdm.dll
c:\windows\system32\ovfsthxtfqpppih.dll
c:\windows\system32\rntuoxog.dll
c:\windows\system32\yutlekx.dll
c:\windows\TEMP\msb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VVDSVC
-------\Legacy_WRVSJBFX
-------\Service_vvdsvc
-------\Service_wrvsjbfx


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-30 13:21 . 2009-04-30 13:21 45413932 ----a-w C:\backup.reg
2009-04-30 03:11 . 2009-04-30 03:11 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-30 03:11 . 2009-04-30 03:11 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-30 03:11 . 2009-04-30 03:11 -------- d-----w c:\documents and settings\UDAY\Application Data\SUPERAntiSpyware.com
2009-04-29 16:45 . 2009-04-29 16:45 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-29 15:02 . 2009-04-29 18:21 -------- d-----w c:\program files\Lavasoft
2009-04-29 13:50 . 2009-04-29 13:52 -------- dc-h--w c:\windows\ie8
2009-04-28 17:36 . 2009-04-28 17:36 -------- d-----w c:\documents and settings\NetworkService\Application Data\ddwotmtq
2009-04-28 17:36 . 2009-04-28 17:36 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ddwotmtq
2009-04-28 13:46 . 2009-04-28 13:46 -------- d-----w c:\program files\innoheim
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-22 14:24 . 2009-04-22 14:24 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-15 17:49 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:49 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 17:49 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:49 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 17:49 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:49 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 17:49 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:49 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:49 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:49 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:48 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 17:48 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-01 01:22 . 2009-04-01 01:22 -------- d-sh--w c:\documents and settings\UDAY\IECompatCache
2009-04-01 01:21 . 2009-04-01 01:21 -------- d-sh--w c:\documents and settings\UDAY\PrivacIE
2009-04-01 01:18 . 2009-04-01 01:18 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-01 01:16 . 2009-04-01 01:16 -------- d-sh--w c:\documents and settings\UDAY\IETldCache
2009-04-01 01:14 . 2009-04-27 15:03 -------- d-----w c:\windows\ie8updates
2009-04-01 01:06 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 14:12 . 2004-08-10 18:51 23424 ----a-w c:\windows\system32\drivers\xsovxcju.sys
2009-04-30 03:10 . 2007-07-17 02:38 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-28 13:46 . 2006-03-31 18:27 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 21:23 . 2006-03-31 18:41 -------- d-----w c:\program files\Google
2009-03-08 08:34 . 2004-08-10 18:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-10 18:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-10 18:50 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-10 18:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-10 18:50 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-10 18:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-10 18:51 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-10 18:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-10 18:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-10 18:51 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 15:44 . 2008-01-23 15:53 256 ----a-w c:\windows\system32\pool.bin
2009-03-06 14:22 . 2004-08-10 18:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-08-10 18:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 18:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 18:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 18:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-10 18:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2004-08-04 04:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-10 18:51 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-10 18:51 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 18:51 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-10 18:51 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_19.00.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 14:16 . 2009-04-30 14:16 16384 c:\windows\Temp\Perflib_Perfdata_650.dat
- 2009-04-28 12:54 . 2009-04-29 18:14 24064 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
+ 2009-04-28 12:54 . 2009-04-30 13:23 24064 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
+ 2006-05-29 20:57 . 2009-04-30 13:06 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-29 20:57 . 2009-04-29 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-05-29 20:57 . 2009-04-30 13:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-29 20:57 . 2009-04-29 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-27 14:45 . 2009-04-30 13:06 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-04-27 14:45 . 2009-04-29 18:57 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2006-05-29 20:57 . 2009-04-30 13:06 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-05-29 20:57 . 2009-04-29 18:57 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-30 03:11 . 2009-04-30 03:11 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-04-30 03:11 . 2009-04-30 03:11 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-03-07 3558136]
"cdloader"="c:\documents and settings\UDAY\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"Google Update"="c:\documents and settings\UDAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-03 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-09 180269]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
backup=c:\windows\pss\BlackBerry Desktop Redirector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^UDAY^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^UDAY^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplogon.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Documents and Settings\\UDAY\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Documents and Settings\\UDAY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\UDAY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\UDAY\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8080:TCP"= 8080:TCP:tomcat

R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711); [x]
R1 vcdrom;Virtual CD-ROM Device Driver; [x]
R2 DriverX;DriverX; [x]
R3 VM30xx86;Vimicro USB PC Camera (ZC0301); [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-04-28 72944]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - WRVSJBFX

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1603ec9e-00a3-11de-b0c5-0016ce1f87a1}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a5c37dd-6ff4-11dd-afe2-0016ce1f87a1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bc3feec-f0db-11dd-b0b1-0016ce1f87a1}]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\phone\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{524cf106-7e09-11dd-aff8-0016ce1f87a1}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b188bc-d246-11dd-b085-0016ce1f87a1}]
\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bda3afa-77d0-11dd-aff0-0016ce1f87a1}]
\Shell\AutoRun\command - E:\WDSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3012315782-3780978459-2933525636-1006.job
- c:\documents and settings\UDAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-03 19:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - hxxp://iptv.zgzcw.com/pCastCtl_1.0.0.89_20080808.cab
FF - ProfilePath - c:\documents and settings\UDAY\Application Data\Mozilla\Firefox\Profiles\f3ijr7ya.default\
FF - plugin: c:\documents and settings\UDAY\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\UDAY\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 10:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3988)
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\Mctray.exe
.
**************************************************************************
.
Completion time: 2009-04-30 10:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 14:22
ComboFix2.txt 2009-04-29 19:04

Pre-Run: 48,773,550,080 bytes free
Post-Run: 48,772,718,592 bytes free

325 --- E O F --- 2009-04-29 15:35




HijackThis.txt


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:18 AM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Documents and Settings\UDAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\UDAY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\UDAY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\UDAY\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\UDAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192363658609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.mydesichannel.com/nsvplayx_vp3_mp3.cab
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://iptv.zgzcw.com/pCastCtl_1.0.0.89_20080808.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8077 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 April 2009 - 10:10 AM

Please download DaonolFix from jpshortstuff and save it to your Desktop.

Double-click that file and choose 1. Find Daonol (no fix) and then Enter

Let it scan until finish.. Then post the log here in your next reply




1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
WRVSJBFX
vvdsvc 

Rootkit::
c:\windows\system32\drivers\wrvsjbfx.sys
c:\windows\system32\drivers\xsovxcju.sys

File::
c:\windows\system32\drivers\xsovxcju.sys
c:\windows\system32\drivers\wrvsjbfx.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"vvdsvc "=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bc3feec-f0db-11dd-b0b1-0016ce1f87a1}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by fenzodahl512, 30 April 2009 - 10:11 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 udai

udai
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 April 2009 - 10:44 AM

Hi fenzodahl512,

here are the following logs

DaonolFix

DaonolFix (15.04.09) by jpshortstuff
Log created at 11:20 on 30/04/2009 by UDAY
Running from C:\Documents and Settings\UDAY\Desktop\DaonolFix.exe

=====Find Daonol=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"‘"=""
"aux"="wdmaud.sys"
"aux1"="wdmaud.drv"
"midi"="wdmaud.drv"
"midi1"="wdmaud.drv"
"midimapper"="midimap.dll"
"mixer"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"msacm.divxa32"="DivXa32.acm"
"msacm.iac2"="C:\WINDOWS\system32\iac25_32.ax"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.l3acm"="L3codeca.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msg723"="msg723.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.trspch"="tssoft32.acm"
"MSVideo"="VfwWdm32.dll"
"MSVideo8"="VfWWDM32.dll"
"vidc.cvid"="iccvid.dll"
"vidc.DIV3"="DivXc32.dll"
"vidc.DIV4"="DivXc32f.dll"
"VIDC.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iv50"="ir50_32.dll"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.M261"="msh261.drv"
"vidc.M263"="msh263.drv"
"vidc.MP42"="MPG4C32.dll"
"vidc.MP43"="MPG4C32.dll"
"vidc.MPG4"="MPG4C32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.tscc"="tsccvid.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wave"="wdmaud.drv"
"wavemapper"="msacm32.drv"

-=Daonol Files=-
(none found)

-=End Of File=-

Combofix.txt


ComboFix 09-04-29.07 - UDAY 04/30/2009 11:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.876 [GMT -4:00]
Running from: c:\documents and settings\UDAY\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\UDAY\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
FW: *disabled*
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\drivers\wrvsjbfx.sys
c:\windows\system32\drivers\xsovxcju.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\wrvsjbfx.sys
c:\windows\system32\drivers\xsovxcju.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WRVSJBFX


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-30 15:26 . 2009-04-30 15:26 -------- d-----w C:\QUARANTINE
2009-04-30 13:21 . 2009-04-30 13:21 45413932 ----a-w C:\backup.reg
2009-04-30 03:11 . 2009-04-30 03:11 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-30 03:11 . 2009-04-30 03:11 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-30 03:11 . 2009-04-30 03:11 -------- d-----w c:\documents and settings\UDAY\Application Data\SUPERAntiSpyware.com
2009-04-29 16:45 . 2009-04-29 16:45 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-29 15:02 . 2009-04-29 18:21 -------- d-----w c:\program files\Lavasoft
2009-04-29 13:50 . 2009-04-29 13:52 -------- dc-h--w c:\windows\ie8
2009-04-28 17:36 . 2009-04-28 17:36 -------- d-----w c:\documents and settings\NetworkService\Application Data\ddwotmtq
2009-04-28 17:36 . 2009-04-28 17:36 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\ddwotmtq
2009-04-28 13:46 . 2009-04-28 13:46 -------- d-----w c:\program files\innoheim
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-22 14:24 . 2009-04-22 14:24 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-15 17:49 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:49 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 17:49 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:49 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 17:49 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:49 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 17:49 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:49 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:49 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:49 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:48 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 17:48 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-01 01:22 . 2009-04-01 01:22 -------- d-sh--w c:\documents and settings\UDAY\IECompatCache
2009-04-01 01:21 . 2009-04-01 01:21 -------- d-sh--w c:\documents and settings\UDAY\PrivacIE
2009-04-01 01:18 . 2009-04-01 01:18 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-01 01:16 . 2009-04-01 01:16 -------- d-sh--w c:\documents and settings\UDAY\IETldCache
2009-04-01 01:14 . 2009-04-27 15:03 -------- d-----w c:\windows\ie8updates
2009-04-01 01:06 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 03:10 . 2007-07-17 02:38 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-28 13:46 . 2006-03-31 18:27 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 21:23 . 2006-03-31 18:41 -------- d-----w c:\program files\Google
2009-03-08 08:34 . 2004-08-10 18:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-10 18:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-10 18:50 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-10 18:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-10 18:50 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-10 18:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-10 18:51 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-10 18:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-10 18:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-10 18:51 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 15:44 . 2008-01-23 15:53 256 ----a-w c:\windows\system32\pool.bin
2009-03-06 14:22 . 2004-08-10 18:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-08-10 18:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 18:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 18:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 18:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-10 18:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2004-08-04 04:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-10 18:51 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-10 18:51 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 18:51 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-10 18:51 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_19.00.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 15:30 . 2009-04-30 15:30 16384 c:\windows\Temp\Perflib_Perfdata_64c.dat
- 2009-04-28 12:54 . 2009-04-29 18:14 24064 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
+ 2009-04-28 12:54 . 2009-04-30 13:23 24064 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
- 2006-05-29 20:57 . 2009-04-29 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-05-29 20:57 . 2009-04-30 13:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-27 14:45 . 2009-04-30 13:06 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-04-27 14:45 . 2009-04-29 18:57 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2006-05-29 20:57 . 2009-04-30 13:06 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-05-29 20:57 . 2009-04-29 18:57 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-30 03:11 . 2009-04-30 03:11 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-04-30 03:11 . 2009-04-30 03:11 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-03-07 3558136]
"cdloader"="c:\documents and settings\UDAY\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"Google Update"="c:\documents and settings\UDAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-03 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-09 180269]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
backup=c:\windows\pss\BlackBerry Desktop Redirector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^UDAY^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^UDAY^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\UDAY\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplogon.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Documents and Settings\\UDAY\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Documents and Settings\\UDAY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\UDAY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\UDAY\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8080:TCP"= 8080:TCP:tomcat

R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711); [x]
R1 vcdrom;Virtual CD-ROM Device Driver; [x]
R2 DriverX;DriverX; [x]
R3 VM30xx86;Vimicro USB PC Camera (ZC0301); [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-04-28 72944]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1603ec9e-00a3-11de-b0c5-0016ce1f87a1}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a5c37dd-6ff4-11dd-afe2-0016ce1f87a1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{524cf106-7e09-11dd-aff8-0016ce1f87a1}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b188bc-d246-11dd-b085-0016ce1f87a1}]
\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bda3afa-77d0-11dd-aff0-0016ce1f87a1}]
\Shell\AutoRun\command - E:\WDSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3012315782-3780978459-2933525636-1006.job
- c:\documents and settings\UDAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-03 19:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - hxxp://iptv.zgzcw.com/pCastCtl_1.0.0.89_20080808.cab
FF - ProfilePath - c:\documents and settings\UDAY\Application Data\Mozilla\Firefox\Profiles\f3ijr7ya.default\
FF - plugin: c:\documents and settings\UDAY\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\UDAY\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 11:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(348)
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\Mctray.exe
.
**************************************************************************
.
Completion time: 2009-04-30 11:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 15:36
ComboFix2.txt 2009-04-30 14:23
ComboFix3.txt 2009-04-29 19:04

Pre-Run: 48,742,539,264 bytes free
Post-Run: 48,736,169,984 bytes free

275 --- E O F --- 2009-04-29 15:35


Hijackthis.txt


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:56 AM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Documents and Settings\UDAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\UDAY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\UDAY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\UDAY\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\UDAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192363658609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.mydesichannel.com/nsvplayx_vp3_mp3.cab
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://iptv.zgzcw.com/pCastCtl_1.0.0.89_20080808.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8013 bytes


Thanks.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 April 2009 - 10:50 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post these logs in your next reply..

1. Malwarebytes'
2. ESET Online
3. How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 udai

udai
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 April 2009 - 01:54 PM

malwarebytes LOG

Malwarebytes' Anti-Malware 1.36
Database version: 2061
Windows 5.1.2600 Service Pack 3

4/30/2009 12:52:10 PM
mbam-log-2009-04-30 (12-52-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 152096
Time elapsed: 54 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Dudu (Adware.DuDu) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\UDAY\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\UDAY\Start Menu\Programs\Startup\ChkDisk.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ak1.exe.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lmppcsetup.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\loader266.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winglsetup.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0099959.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Temp\msb.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\pss\ChkDisk.dllStartup (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.

ESET LOG

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4046 (20090430)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=bf2489e7c3e2a74c98446c4c1c8eef57
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-30 06:48:35
# local_time=2009-04-30 02:48:35 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=335730
# found=2
# scan_time=5801
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_wrvsjbfx_.sys.zip Win32/BHO.EXT trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_wrvsjbfx_.sys.zip »ZIP »wrvsjbfx.sys Win32/BHO.EXT trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 April 2009 - 02:01 PM

Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 udai

udai
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 April 2009 - 02:18 PM

Thanks dude ....You rock.

Now can me explain me what happend exactly and what are those scripts which you asked me drag and drop on combofix.


regards
Uday

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 April 2009 - 02:21 PM

Simple explaination is the computer had rootkit and trojans on that computer.. If you use the computer for online banking of similar purpose such as paypal, it would be good idea to change all your online passwords now.. Anymore questions? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 udai

udai
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 April 2009 - 02:22 PM

can you tell which antivirus and spyware do you recommend me to use

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 April 2009 - 02:26 PM

You already have McAfee as your antivirus, and also Malwarebytes' and SUPERAntiSpyware as your antispyware.. All of them are excellent security programs... Maybe you want to add a firewall.. My recommendation is PC Tools Firewall Plus due to its simplicity..

If you wish to use another antivirus, I personally suggest Avira AntiVir Personal.. Just uninstall your McAfee first and then install Avira..

Anymore questions? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 udai

udai
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 April 2009 - 02:42 PM

thanks dude.

Now if want use third party firewall do i have to disable windows firewall?

Malwarebytes' and SUPERAntiSpyware should these both be up and running in my laptop always?

regards

Uday

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 April 2009 - 02:51 PM

Now if want use third party firewall do i have to disable windows firewall?


Yup.. correct

Malwarebytes' and SUPERAntiSpyware should these both be up and running in my laptop always?


I assume both are free edition.. Just run full scan with both of them like twice a month or so..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users