Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton and Malwarebytes does not remove torjan.vundo


  • This topic is locked This topic is locked
22 replies to this topic

#1 stableg

stableg

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 30 April 2009 - 11:58 AM

Hi,

I am experiencing a few probs with my laptop all of which i suspect has to do with malware. I am in a time crunch as I am working on my thesis on my laptop and any help would be highly appreciated!!.

I am running windows Xp.

1) My norton antivirus is not able to remove a trojan called torjan.vundo. It sees the virus and says that it has quarantined and deleted it but when I look in the folder (c:\windows\system32) it is still there. Norton keeps on detecting the same virus and keeps popping up windows every few mins announcing that. The name of the file is tikupoba.dll and i can't delete it manually. (It says that the program cannot be deleted when i go to that folder) I have run spybot(latest version) and malwarebytes anti-malware(latest version) but no help. Malwarebytes detects the trojan in the registry but when i ask antimalware to remove it and run the software again i see the same probs .

2) When I start up windows a window pops up saying that sadokike.dll is not detected. I run msconfig and remove the startup item sadokike.dll but when i boot up the same msg appears. Also the startup item get activated in my msconfig. I tried looking in the location (c:\windows\system32) but the file is not there.

I am pasting my dss.txt below. I am also attaching the attach file from dss, my hijackthis log and my anti-malware log.

Thanks again for all the help!!

Nishu


DDS (Ver_09-03-16.01) - NTFSx86
Run by nishukurup at 11:29:53.32 on Thu 04/30/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.526 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Symantec Client Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\BacsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\nishukurup\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.people.cornell.edu/pages/nvk2/personallinks.html
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {05bc8e0b-617f-4edc-919f-3b1de88ff71b} - c:\windows\system32\sodojiya.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [bacstray] BacsTray.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [fuyazabubi] Rundll32.exe "c:\windows\system32\sadokike.dll",s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: doginhispen.com
Trusted Zone: sify.com
Trusted Zone: whataboutadog.com
Trusted Zone: musicmatch.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\papuseri.dll ,c:\windows\system32\tikupoba.dll c:\windows\system32\kafuneso.dll c:\windows\system32\divowuda.dll c:\windows\system32\
SEH: Windows: {00203f00-d7a2-456a-ae04-eb9abf822fe4} - c:\docume~1\nishuk~1\locals~1\temp\aow.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Notification Packages = scecli c:\windows\system32\tikupoba.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nishuk~1\applic~1\mozilla\firefox\profiles\l711bwq0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.people.cornell.edu/pages/nvk2/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\nishukurup\application data\mozilla\firefox\profiles\l711bwq0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\nishukurup\application data\mozilla\firefox\profiles\l711bwq0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh2", false);

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ansysi~1\shared~1\licens~1\intel\lmgrd.exe [2006-5-5 909312]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-4-8 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090429.003\naveng.sys [2009-4-29 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090429.003\navex15.sys [2009-4-29 876144]
R3 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-2-4 324232]
S2 RedSwooshService;RedSwooshService;c:\windows\system32\svchost.exe -k RedSwooshService [2004-8-4 14336]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 DXE201;Dynex DX-E201 CardBus PC Card;c:\windows\system32\drivers\DXE201.SYS [2007-2-3 25434]
S3 puid;puid;c:\windows\system32\drivers\pabc.sys --> c:\windows\system32\drivers\pabc.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2005-4-17 124608]

=============== Created Last 30 ================

2009-04-29 16:47 2,713 ---sh--- c:\windows\system32\wasatihi.dll
2009-04-29 16:47 2,713 ---sh--- c:\windows\system32\tebanohu.dll
2009-04-22 09:01 <DIR> --dsh--- c:\documents and settings\nishukurup\IECompatCache
2009-04-20 19:43 <DIR> --dsh--- c:\documents and settings\nishukurup\PrivacIE
2009-04-20 19:40 <DIR> --dsh--- c:\documents and settings\nishukurup\IETldCache
2009-04-20 19:35 <DIR> --d----- c:\windows\ie8updates
2009-04-20 19:30 <DIR> -cd-h--- c:\windows\ie8
2009-04-20 19:28 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-13 22:02 <DIR> --d----- c:\program files\Trend Micro
2009-04-13 21:36 <DIR> --d----- c:\windows\system32\scripting
2009-04-13 21:36 <DIR> --d----- c:\windows\l2schemas
2009-04-13 21:36 <DIR> --d----- c:\windows\system32\en
2009-04-13 21:36 <DIR> --d----- c:\windows\system32\bits
2009-04-13 21:33 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-13 21:24 <DIR> --d----- c:\windows\EHome
2009-04-11 19:52 <DIR> --d----- c:\windows\system32\Dell
2009-04-11 19:49 552 a------- c:\windows\system32\d3d8caps.dat
2009-04-11 19:48 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-04-11 19:40 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-11 15:05 <DIR> --d----- c:\docume~1\nishuk~1\applic~1\Malwarebytes
2009-04-11 15:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-11 15:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 15:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-11 15:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-06 08:39 <DIR> --d----- c:\windows\system32\LogFiles
2009-04-01 10:36 14,592 a------- c:\windows\system32\drivers\kbdhid.sys

==================== Find3M ====================

2009-04-30 09:54 88,683 a------- c:\windows\system32\nvModes.dat
2009-04-13 21:40 79,123 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-08 15:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 15:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 05:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 05:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 05:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 05:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 05:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 05:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 05:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 05:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 05:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 05:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 05:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 05:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 05:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 05:33 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 05:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 05:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 05:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 05:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 05:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 05:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 05:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 05:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 05:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 05:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 05:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 05:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 05:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 05:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 05:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 05:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 05:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 05:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 05:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 05:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 05:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 05:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 09:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-02-20 13:09 133,120 -------- c:\windows\system32\dllcache\extmgr.dll
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 07:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 07:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 07:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 07:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 20:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 20:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 22:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 06:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 06:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 05:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 05:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 14:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-04-24 17:46 0 a--sh--- c:\docume~1\nishuk~1\applic~1\0048110d2f9eaa2883821f2a6de2f6b6fa71fd22d1a6d6ab0e.dat
2005-03-10 16:38 0 a------- c:\program files\update.ini

============= FINISH: 11:30:57.22 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:11 AM

Posted 04 May 2009 - 05:33 PM

Hello stableg,

You have several very nasty infections on this computer. :thumbup2:

Is this a business, work or company computer?

Edited by SifuMike, 04 May 2009 - 05:37 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 stableg

stableg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 04 May 2009 - 07:12 PM

SifuMike,

Thanks for taking time to reply to me. This is my personal laptop..not a work computer...but i am using this for working on my thesis.

I have done some cleaning since the last time i posted so it might be better...still it would be great if you could advise me how to clean it completely.

Here is my new dds.txt. I have attached the attach.txt and hijackthis.log separately

Thanks again for all the help

stableg



DDS (Ver_09-03-16.01) - NTFSx86
Run by nishukurup at 19:02:55.51 on Mon 05/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.410 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: Symantec Client Firewall *enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\BacsTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\nishukurup\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nishukurup\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.people.cornell.edu/pages/nvk2/personallinks.html
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {05bc8e0b-617f-4edc-919f-3b1de88ff71b} - c:\windows\system32\sodojiya.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [<NO NAME>]
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [nwiz] "nwiz.exe" /installquiet
mRun: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [bacstray] "BacsTray.exe"
mRun: [MSConfig] "c:\windows\pchealth\helpctr\binaries\MSConfig.exe" /auto
mRun: [e0fc7470] "rundll32.exe" "c:\windows\system32\dotudoyi.dll",b
mRun: [fuyazabubi] "Rundll32.exe" "c:\windows\system32\sadokike.dll",s
mRun: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: doginhispen.com
Trusted Zone: sify.com
Trusted Zone: whataboutadog.com
Trusted Zone: musicmatch.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Windows: {00203f00-d7a2-456a-ae04-eb9abf822fe4} - c:\docume~1\nishuk~1\locals~1\temp\aow.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Notification Packages = scecli c:\windows\system32\tikupoba.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nishuk~1\applic~1\mozilla\firefox\profiles\l711bwq0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.people.cornell.edu/pages/nvk2/personallinks.html
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\nishukurup\application data\mozilla\firefox\profiles\l711bwq0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\nishukurup\application data\mozilla\firefox\profiles\l711bwq0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh2", false);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-2 29808]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ansysi~1\shared~1\licens~1\intel\lmgrd.exe [2006-5-5 909312]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-4-8 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-2 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-4-30 1181040]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090504.005\naveng.sys [2009-5-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090504.005\navex15.sys [2009-5-4 876144]
R3 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-2-4 324232]
S2 RedSwooshService;RedSwooshService;c:\windows\system32\svchost.exe -k RedSwooshService [2004-8-4 14336]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 DXE201;Dynex DX-E201 CardBus PC Card;c:\windows\system32\drivers\DXE201.SYS [2007-2-3 25434]
S3 puid;puid;c:\windows\system32\drivers\pabc.sys --> c:\windows\system32\drivers\pabc.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2005-4-17 124608]

=============== Created Last 30 ================

2009-05-02 08:50 <DIR> --d----- C:\!KillBox
2009-05-01 07:30 389,120 a------- c:\windows\system32\cmd.execf
2009-04-30 23:56 1,433,378 ---sh--- c:\windows\system32\iyodutod.ini
2009-04-30 21:59 775,168 a------- c:\windows\isRS-000.tmp
2009-04-30 19:56 <DIR> --d----- c:\program files\MSSOAP
2009-04-30 19:55 1,563,008 a------- c:\windows\WRSetup.dll
2009-04-30 19:55 <DIR> --d----- c:\program files\Webroot
2009-04-30 19:55 <DIR> --d----- c:\docume~1\nishuk~1\applic~1\Webroot
2009-04-30 19:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-04-30 19:54 164 a------- c:\windows\install.dat
2009-04-30 19:29 <DIR> --d----- C:\VundoFix Backups
2009-04-30 17:11 <DIR> --d----- c:\program files\Unlocker
2009-04-30 11:56 121 ---sh--- c:\windows\system32\olesosim.ini
2009-04-29 16:47 2,713 ---sh--- c:\windows\system32\wasatihi.dll
2009-04-29 16:47 2,713 ---sh--- c:\windows\system32\tebanohu.dll
2009-04-22 09:01 <DIR> --dsh--- c:\documents and settings\nishukurup\IECompatCache
2009-04-20 19:43 <DIR> --dsh--- c:\documents and settings\nishukurup\PrivacIE
2009-04-20 19:40 <DIR> --dsh--- c:\documents and settings\nishukurup\IETldCache
2009-04-20 19:35 <DIR> --d----- c:\windows\ie8updates
2009-04-20 19:30 <DIR> -cd-h--- c:\windows\ie8
2009-04-20 19:28 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-13 22:02 <DIR> --d----- c:\program files\Trend Micro
2009-04-13 21:36 <DIR> --d----- c:\windows\system32\scripting
2009-04-13 21:36 <DIR> --d----- c:\windows\l2schemas
2009-04-13 21:36 <DIR> --d----- c:\windows\system32\en
2009-04-13 21:36 <DIR> --d----- c:\windows\system32\bits
2009-04-13 21:33 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-13 21:24 <DIR> --d----- c:\windows\EHome
2009-04-11 19:52 <DIR> --d----- c:\windows\system32\Dell
2009-04-11 19:49 552 a------- c:\windows\system32\d3d8caps.dat
2009-04-11 19:48 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-04-11 19:40 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-11 15:05 <DIR> --d----- c:\docume~1\nishuk~1\applic~1\Malwarebytes
2009-04-11 15:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-11 15:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 15:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-11 15:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-06 08:39 <DIR> --d----- c:\windows\system32\LogFiles

==================== Find3M ====================

2009-04-30 19:12 88,683 a------- c:\windows\system32\nvModes.dat
2009-04-13 21:40 79,123 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-02 14:30 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 14:30 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 14:30 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-08 15:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 15:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 05:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 05:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 05:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 05:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 05:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 05:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 05:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 05:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 05:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 05:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 05:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 05:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 05:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 05:33 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 05:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 05:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 05:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 05:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 05:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 05:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 05:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 05:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 05:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 05:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 05:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 05:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 05:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 05:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 05:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 05:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 05:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 05:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 05:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 05:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 05:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 05:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 09:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-02-20 13:09 133,120 -------- c:\windows\system32\dllcache\extmgr.dll
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 07:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 07:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 07:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 07:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 20:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 20:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 22:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 06:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 06:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 05:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 05:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2008-04-24 17:46 0 a--sh--- c:\docume~1\nishuk~1\applic~1\0048110d2f9eaa2883821f2a6de2f6b6fa71fd22d1a6d6ab0e.dat
2005-03-10 16:38 0 a------- c:\program files\update.ini

============= FINISH: 19:04:29.19 ===============

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:11 AM

Posted 04 May 2009 - 08:06 PM

Hi stableg,

This computer has several nasty infections.

Let's start with the AWF infection.

Download FindAWF:
http://noahdfear.geekstogo.com/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 stableg

stableg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 04 May 2009 - 09:02 PM

Hi SifuMike,

Thanks again for taking the time to check my comp...

here is the log you requested

stableg


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Mon 05/04/2009
The current time is: 20:50:29.91


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT\BAK

08/21/2004 07:04 PM 155,648 Apoint.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 06:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 06:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

04/08/2005 02:52 PM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~2\BAK

04/17/2005 11:30 AM 85,184 VPTray.exe
1 File(s) 85,184 bytes

Directory of C:\PROGRA~1\VEOHNE~1\VEOH\BAK

09/12/2007 07:33 PM 2,560,000 VeohClient.exe
1 File(s) 2,560,000 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

11/16/2004 12:05 AM 127,035 tfswctrl.exe
1 File(s) 127,035 bytes

Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK

10/30/2004 03:59 PM 385,024 ifrmewrk.exe
1 File(s) 385,024 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\DOCUME~1\NISHUK~1\MYDOCU~1\VIDEOS\VEOH\APPBAC~1\BAK

09/12/2007 07:33 PM 2,560,000 VeohClient.exe
1 File(s) 2,560,000 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

155648 Aug 21 2004 "C:\DRIVERS\MOUSE\ONBOARD\APOINT.EXE"
155648 Aug 21 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jul 28 2008 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Jan 2 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
108096 Jan 2 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0TKZ2LQR\iTunesSetupAdmin[1].exe"
116008 Nov 12 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27MZ8NUR\iTunesSetupAdmin[1].exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Apr 13 2008 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
48752 Apr 8 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Apr 8 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
85184 Apr 17 2005 "C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe"
85184 Apr 17 2005 "C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak\VPTray.exe"
3587120 Apr 1 2008 "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"
2560000 Sep 12 2007 "C:\Program Files\Veoh Networks\Veoh\bak\VeohClient.exe"
3497984 Jan 30 2008 "C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\VeohClient.exe"
2560000 Sep 12 2007 "C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\bak\VeohClient.exe"
127035 Nov 16 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
127035 Nov 16 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
385024 Oct 30 2004 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
36975 Mar 4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
3587120 Apr 1 2008 "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"
2560000 Sep 12 2007 "C:\Program Files\Veoh Networks\Veoh\bak\VeohClient.exe"
3497984 Jan 30 2008 "C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\VeohClient.exe"
2560000 Sep 12 2007 "C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\bak\VeohClient.exe"


end of report

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:11 AM

Posted 04 May 2009 - 09:27 PM

Hi stableg,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\Apoint\bak\Apoint.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak\VPTray.exe"
"C:\Program Files\Veoh Networks\Veoh\bak\VeohClient.exe"
"C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\bak\VeohClient.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Veoh Networks\Veoh\bak\VeohClient.exe"
"C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\bak\VeohClient.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 stableg

stableg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 04 May 2009 - 09:36 PM

Hi SifuMike,

Here is the new log...

thanks

stableg


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Mon 05/04/2009
The current time is: 21:33:03.50


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT\BAK

08/21/2004 07:04 PM 155,648 Apoint.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 06:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 06:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

04/08/2005 02:52 PM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\SYMANT~1\SYMANT~2\BAK

04/17/2005 11:30 AM 85,184 VPTray.exe
1 File(s) 85,184 bytes

Directory of C:\PROGRA~1\VEOHNE~1\VEOH\BAK

09/12/2007 07:33 PM 2,560,000 VeohClient.exe
1 File(s) 2,560,000 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

11/16/2004 12:05 AM 127,035 tfswctrl.exe
1 File(s) 127,035 bytes

Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK

10/30/2004 03:59 PM 385,024 ifrmewrk.exe
1 File(s) 385,024 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\DOCUME~1\NISHUK~1\MYDOCU~1\VIDEOS\VEOH\APPBAC~1\BAK

09/12/2007 07:33 PM 2,560,000 VeohClient.exe
1 File(s) 2,560,000 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

155648 Aug 21 2004 "C:\Program Files\Apoint\Apoint.exe"
155648 Aug 21 2004 "C:\DRIVERS\MOUSE\ONBOARD\APOINT.EXE"
155648 Aug 21 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jul 28 2008 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Jan 2 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
108096 Jan 2 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0TKZ2LQR\iTunesSetupAdmin[1].exe"
116008 Nov 12 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27MZ8NUR\iTunesSetupAdmin[1].exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
48752 Apr 8 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Apr 8 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
85184 Apr 17 2005 "C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe"
85184 Apr 17 2005 "C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak\VPTray.exe"
2560000 Sep 12 2007 "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"
2560000 Sep 12 2007 "C:\Program Files\Veoh Networks\Veoh\bak\VeohClient.exe"
2560000 Sep 12 2007 "C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\VeohClient.exe"
2560000 Sep 12 2007 "C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\bak\VeohClient.exe"
127035 Nov 16 2004 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
127035 Nov 16 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
127035 Nov 16 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
385024 Oct 30 2004 "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe"
385024 Oct 30 2004 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
36975 Mar 4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
2560000 Sep 12 2007 "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"
2560000 Sep 12 2007 "C:\Program Files\Veoh Networks\Veoh\bak\VeohClient.exe"
2560000 Sep 12 2007 "C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\VeohClient.exe"
2560000 Sep 12 2007 "C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\bak\VeohClient.exe"


end of report

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:11 AM

Posted 04 May 2009 - 09:54 PM

Hi stableg,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer <==== Important



Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Apoint\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak
C:\Program Files\Veoh Networks\Veoh\bak
C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\bak
C:\WINDOWS\SYSTEM32\dla\bak
C:\Program Files\Intel\Wireless\Bin\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Veoh Networks\Veoh\bak
C:\Documents and Settings\nishukurup\My Documents\Videos\Veoh\AppBackup\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 stableg

stableg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 04 May 2009 - 10:31 PM

Hi SifuMike,

Did all the stuff ...here is the new log

thanks

stableg


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Mon 05/04/2009
The current time is: 22:21:40.16


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:11 AM

Posted 04 May 2009 - 10:49 PM

Hi stableg,

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

then post a fresh DDS log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 stableg

stableg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 04 May 2009 - 10:59 PM

Hi SifuMike,

Here is the new dds.txt

attach.txt is attached

stableg


DDS (Ver_09-03-16.01) - NTFSx86
Run by nishukurup at 22:56:23.62 on Mon 05/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.383 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: Symantec Client Firewall *enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\BacsTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nishukurup\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.people.cornell.edu/pages/nvk2/personallinks.html
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {05bc8e0b-617f-4edc-919f-3b1de88ff71b} - c:\windows\system32\sodojiya.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [<NO NAME>]
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [nwiz] "nwiz.exe" /installquiet
mRun: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [bacstray] "BacsTray.exe"
mRun: [MSConfig] "c:\windows\pchealth\helpctr\binaries\MSConfig.exe" /auto
mRun: [e0fc7470] "rundll32.exe" "c:\windows\system32\dotudoyi.dll",b
mRun: [fuyazabubi] "Rundll32.exe" "c:\windows\system32\sadokike.dll",s
mRun: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Windows: {00203f00-d7a2-456a-ae04-eb9abf822fe4} - c:\docume~1\nishuk~1\locals~1\temp\aow.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Notification Packages = scecli c:\windows\system32\tikupoba.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nishuk~1\applic~1\mozilla\firefox\profiles\l711bwq0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.people.cornell.edu/pages/nvk2/personallinks.html
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\nishukurup\application data\mozilla\firefox\profiles\l711bwq0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\nishukurup\application data\mozilla\firefox\profiles\l711bwq0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh2", false);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-2 29808]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ansysi~1\shared~1\licens~1\intel\lmgrd.exe [2006-5-5 909312]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-4-8 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-2 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-4-30 1181040]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090504.005\naveng.sys [2009-5-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090504.005\navex15.sys [2009-5-4 876144]
R3 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-2-4 324232]
S2 RedSwooshService;RedSwooshService;c:\windows\system32\svchost.exe -k RedSwooshService [2004-8-4 14336]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 DXE201;Dynex DX-E201 CardBus PC Card;c:\windows\system32\drivers\DXE201.SYS [2007-2-3 25434]
S3 puid;puid;c:\windows\system32\drivers\pabc.sys --> c:\windows\system32\drivers\pabc.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2005-4-17 124608]

=============== Created Last 30 ================

2009-05-02 08:50 <DIR> --d----- C:\!KillBox
2009-05-01 07:30 389,120 a------- c:\windows\system32\cmd.execf
2009-04-30 23:56 1,433,378 ---sh--- c:\windows\system32\iyodutod.ini
2009-04-30 21:59 775,168 a------- c:\windows\isRS-000.tmp
2009-04-30 19:56 <DIR> --d----- c:\program files\MSSOAP
2009-04-30 19:55 1,563,008 a------- c:\windows\WRSetup.dll
2009-04-30 19:55 <DIR> --d----- c:\program files\Webroot
2009-04-30 19:55 <DIR> --d----- c:\docume~1\nishuk~1\applic~1\Webroot
2009-04-30 19:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-04-30 19:54 164 a------- c:\windows\install.dat
2009-04-30 19:29 <DIR> --d----- C:\VundoFix Backups
2009-04-30 17:11 <DIR> --d----- c:\program files\Unlocker
2009-04-30 11:56 121 ---sh--- c:\windows\system32\olesosim.ini
2009-04-29 16:47 2,713 ---sh--- c:\windows\system32\wasatihi.dll
2009-04-29 16:47 2,713 ---sh--- c:\windows\system32\tebanohu.dll
2009-04-22 09:01 <DIR> --dsh--- c:\documents and settings\nishukurup\IECompatCache
2009-04-20 19:43 <DIR> --dsh--- c:\documents and settings\nishukurup\PrivacIE
2009-04-20 19:40 <DIR> --dsh--- c:\documents and settings\nishukurup\IETldCache
2009-04-20 19:35 <DIR> --d----- c:\windows\ie8updates
2009-04-20 19:30 <DIR> -cd-h--- c:\windows\ie8
2009-04-20 19:28 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-13 22:02 <DIR> --d----- c:\program files\Trend Micro
2009-04-13 21:36 <DIR> --d----- c:\windows\system32\scripting
2009-04-13 21:36 <DIR> --d----- c:\windows\l2schemas
2009-04-13 21:36 <DIR> --d----- c:\windows\system32\en
2009-04-13 21:36 <DIR> --d----- c:\windows\system32\bits
2009-04-13 21:33 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-13 21:24 <DIR> --d----- c:\windows\EHome
2009-04-11 19:52 <DIR> --d----- c:\windows\system32\Dell
2009-04-11 19:49 552 a------- c:\windows\system32\d3d8caps.dat
2009-04-11 19:48 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-04-11 19:40 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-11 15:05 <DIR> --d----- c:\docume~1\nishuk~1\applic~1\Malwarebytes
2009-04-11 15:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-11 15:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 15:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-11 15:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-06 08:39 <DIR> --d----- c:\windows\system32\LogFiles

==================== Find3M ====================

2009-04-30 19:12 88,683 a------- c:\windows\system32\nvModes.dat
2009-04-13 21:40 79,123 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-02 14:30 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 14:30 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 14:30 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-08 15:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 15:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 05:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 05:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 05:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 05:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 05:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 05:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 05:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 05:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 05:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 05:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 05:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 05:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 05:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 05:33 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 05:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 05:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 05:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 05:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 05:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 05:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 05:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 05:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 05:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 05:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 05:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 05:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 05:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 05:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 05:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 05:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 05:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 05:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 05:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 05:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 05:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 05:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 09:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-02-20 13:09 133,120 -------- c:\windows\system32\dllcache\extmgr.dll
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 07:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 07:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 07:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 07:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 20:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 20:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 22:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 06:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 06:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 05:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 05:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2008-04-24 17:46 0 a--sh--- c:\docume~1\nishuk~1\applic~1\0048110d2f9eaa2883821f2a6de2f6b6fa71fd22d1a6d6ab0e.dat
2005-03-10 16:38 0 a------- c:\program files\update.ini

============= FINISH: 22:56:52.08 ===============

Attached Files



#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:11 AM

Posted 04 May 2009 - 11:19 PM

Hi stableg,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 13.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0 Update 2
    Java 2 Runtime Environment, SE v1.4.2_03
    Java™ 6 Update 2
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
****************


I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

****************

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Symantec AntiVirus Corporate Edition Antivirus, SpywSweeper and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

To disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.
Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 04 May 2009 - 11:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 stableg

stableg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 05 May 2009 - 12:36 AM

Hi SifuMike,

Did the Combofix...I am attaching the log file

Thanks

stableg

ComboFix 09-05-03.6 - nishukurup 05/05/2009 0:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.529 [GMT -5:00]
Running from: c:\documents and settings\nishukurup\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Symantec Client Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\nishukurup\Application Data\wiaserva.log
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\fad.sys
c:\windows\system32\iyodutod.ini
c:\windows\system32\olesosim.ini
c:\windows\system32\tebanohu.dll
c:\windows\system32\wasatihi.dll

----- BITS: Possible infected sites -----

hxxp://62.4.83.201
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD


((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 04:48 . 2009-05-05 04:47 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 13:50 . 2009-05-02 13:50 -------- d-----w C:\!KillBox
2009-05-01 00:56 . 2009-05-01 00:56 -------- d-----w c:\program files\MSSOAP
2009-05-01 00:55 . 2009-04-06 18:32 1563008 ----a-w c:\windows\WRSetup.dll
2009-05-01 00:55 . 2009-05-01 00:55 -------- d-----w c:\documents and settings\nishukurup\Application Data\Webroot
2009-05-01 00:55 . 2009-05-01 01:11 -------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-05-01 00:55 . 2009-05-01 00:55 -------- d-----w c:\program files\Webroot
2009-05-01 00:54 . 2009-05-01 02:55 164 ----a-w c:\windows\install.dat
2009-05-01 00:29 . 2009-05-01 00:29 -------- d-----w C:\VundoFix Backups
2009-04-30 22:11 . 2009-05-01 12:24 -------- d-----w c:\program files\Unlocker
2009-04-25 19:35 . 2009-04-25 19:35 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-22 14:01 . 2009-04-22 14:01 -------- d-sh--w c:\documents and settings\nishukurup\IECompatCache
2009-04-21 19:34 . 2009-04-21 19:34 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-21 00:43 . 2009-04-21 00:43 -------- d-sh--w c:\documents and settings\nishukurup\PrivacIE
2009-04-21 00:40 . 2009-04-21 00:40 -------- d-sh--w c:\documents and settings\nishukurup\IETldCache
2009-04-21 00:40 . 2009-04-21 00:40 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-21 00:35 . 2009-04-21 00:35 -------- d-----w c:\windows\ie8updates
2009-04-21 00:30 . 2009-04-21 00:32 -------- dc-h--w c:\windows\ie8
2009-04-21 00:28 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-04-14 19:13 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:13 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-14 19:13 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 19:13 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 19:13 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 19:13 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:13 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:13 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:13 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 19:13 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 19:13 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 19:13 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 03:02 . 2009-04-14 03:02 -------- d-----w c:\program files\Trend Micro
2009-04-14 02:36 . 2009-04-14 02:36 -------- d-----w c:\windows\system32\scripting
2009-04-14 02:36 . 2009-04-14 02:36 -------- d-----w c:\windows\l2schemas
2009-04-14 02:36 . 2009-04-14 02:36 -------- d-----w c:\windows\system32\en
2009-04-14 02:36 . 2009-04-14 02:36 -------- d-----w c:\windows\system32\bits
2009-04-14 02:33 . 2009-04-14 02:33 -------- d-----w c:\windows\ServicePackFiles
2009-04-14 02:24 . 2009-04-14 02:24 -------- d-----w c:\windows\EHome
2009-04-12 00:52 . 2009-04-12 00:52 -------- d-----w c:\windows\system32\Dell
2009-04-12 00:49 . 2009-04-12 00:49 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-04-12 00:48 . 2009-04-12 00:48 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-12 00:40 . 2009-04-12 00:49 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-11 20:05 . 2009-04-11 20:05 -------- d-----w c:\documents and settings\nishukurup\Application Data\Malwarebytes
2009-04-11 20:05 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 20:05 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 20:05 . 2009-04-11 20:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 20:05 . 2009-04-11 20:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 18:38 . 2009-04-12 01:32 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-06 13:39 . 2009-04-06 13:39 -------- d-----w c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 05:22 . 2005-06-29 02:17 40 ----a-w c:\windows\system32\profile.dat
2009-05-05 05:03 . 2008-04-24 22:48 -------- d-----w c:\program files\Enigma Software Group
2009-05-05 05:02 . 2005-02-16 02:57 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-05 05:00 . 2005-02-15 23:08 101704 ----a-w c:\documents and settings\nishukurup\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-05 04:47 . 2005-02-10 00:34 -------- d-----w c:\program files\Java
2009-05-05 03:21 . 2007-01-02 12:32 -------- d-----w c:\program files\iTunes
2009-05-05 03:21 . 2007-01-02 12:30 -------- d-----w c:\program files\QuickTime
2009-05-05 03:21 . 2005-02-10 00:22 -------- d-----w c:\program files\Apoint
2009-05-01 07:47 . 2005-05-07 07:07 -------- d-----w c:\program files\CornellLog
2009-05-01 02:59 . 2009-05-01 02:59 775168 ----a-w c:\windows\isRS-000.tmp
2009-05-01 00:12 . 2005-02-10 00:26 88683 ----a-w c:\windows\system32\nvModes.dat
2009-04-25 22:45 . 2005-03-08 00:20 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-14 02:40 . 2004-08-10 19:13 79123 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-04-12 00:52 . 2005-02-10 00:35 -------- d-----w c:\program files\Dell
2009-04-02 19:30 . 2009-04-02 19:30 176752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 19:30 . 2009-04-02 19:30 23152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-02 19:30 . 2009-04-02 19:30 29808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-18 06:32 . 2005-02-21 07:07 -------- d-----w c:\program files\DivX
2009-03-18 06:31 . 2009-03-18 06:31 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-08 10:34 . 2004-08-04 11:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 10:34 . 2004-08-04 11:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 10:33 . 2004-08-04 11:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 10:33 . 2004-08-04 11:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 10:32 . 2004-08-04 11:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 10:32 . 2004-08-04 11:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 10:31 . 2004-08-04 11:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 10:31 . 2004-08-04 11:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 10:31 . 2004-08-04 11:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 10:22 . 2004-08-04 11:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 11:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 01:02 . 1980-01-01 06:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 1980-01-01 06:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\system32\sc.exe
2005-03-10 21:38 . 2005-03-10 21:38 0 ----a-w c:\program files\update.ini
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-06-02 22:59 . 2005-02-16 00:41 61038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-06-02 22:59 . 2005-02-16 00:41 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-02 22:59 . 2005-02-16 00:41 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-07 7118848]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 148888]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2005-07-07 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\SYSTEM32\nvmctray.dll [2005-07-07 86016]
"bacstray"="BacsTray.exe" - c:\windows\SYSTEM32\BacsTray.exe [2003-05-15 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\WINDOWS\\SideCar.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\ABAQUS\\6.4-1\\cae\\exec\\HKSker.exe"=
"c:\\Program Files\\CU Services\\JtF.exe"=
"c:\\Program Files\\Bear Access\\winba\\ws_ftp\\ws_ftp32.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ans_admin.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970_DP.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\lsprepostd.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitest.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitestmpich.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\sxpost.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYS\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYSMPICH\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\catia\\Intel\\ac4catia.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\CATIAV5\\Intel\\code\\bin\\ac4catia5.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\para\\Intel\\ac4para.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\pro\\Intel\\ac4pro.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\sat\\Intel\\ac4sat.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug10\\Intel\\ansconug10.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug20\\Intel\\ansconug20.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug30\\Intel\\ansconug30.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 RedSwooshService;RedSwooshService;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 DXE201;Dynex DX-E201 CardBus PC Card;c:\windows\system32\DRIVERS\DXE201.SYS [2006-09-12 25434]
R3 puid;puid; [x]
R3 SavRoam;SavRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-02 29808]
S2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2004-10-26 909312]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-05-01 1181040]
S3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [2009-02-26 101936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
RedSwooshService REG_MULTI_SZ RedSwooshService

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-05-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-14 23:39]

2009-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-987541803-1571034566-3504543676-1006.job
- c:\documents and settings\nishukurup\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-01 03:55]

2005-06-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-02-16 21:32]

2009-05-01 c:\windows\Tasks\wrSpySweeper_L489BAB3BA9714273B8A001CF500C8F8B.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-05-01 18:32]

2009-05-01 c:\windows\Tasks\wrSpySweeper_L489BAB3BA9714273B8A001CF500C8F8B.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-05-01 18:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{05bc8e0b-617f-4edc-919f-3b1de88ff71b} - c:\windows\system32\sodojiya.dll
HKLM-Run-e0fc7470 - c:\windows\system32\dotudoyi.dll
HKLM-Run-fuyazabubi - c:\windows\system32\sadokike.dll
ShellExecuteHooks-{00203F00-D7A2-456A-AE04-EB9ABF822FE4} - c:\docume~1\NISHUK~1\LOCALS~1\Temp\aow.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.people.cornell.edu/pages/nvk2/personallinks.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\nishukurup\Application Data\Mozilla\Firefox\Profiles\l711bwq0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.people.cornell.edu/pages/nvk2/personallinks.html
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\nishukurup\Application Data\Mozilla\Firefox\Profiles\l711bwq0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\nishukurup\Application Data\Mozilla\Firefox\Profiles\l711bwq0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh2", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 00:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ **]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ **]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ **]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3756)
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
c:\matlab6p5\webserver\bin\win32\matlabserver.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\matlab6p5\bin\win32\matlab.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-05-05 0:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 05:30

Pre-Run: 29,917,630,464 bytes free
Post-Run: 30,207,307,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,6
325 --- E O F --- 2009-04-15 09:06

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:11 AM

Posted 05 May 2009 - 11:20 AM

Hi stableg,

Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\VundoFix Backups

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver:: 
puid


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 stableg

stableg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 05 May 2009 - 07:22 PM

Hi SifuMike,

Could not work on the laptop until now since i was at work...here is the new combofix file

thanks

stableg

ComboFix 09-05-05.03 - nishukurup 05/05/2009 19:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.538 [GMT -5:00]
Running from: c:\documents and settings\nishukurup\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\nishukurup\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Symantec Client Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_puid


((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-05 04:48 . 2009-05-05 04:47 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 13:50 . 2009-05-02 13:50 -------- d-----w C:\!KillBox
2009-05-01 00:56 . 2009-05-01 00:56 -------- d-----w c:\program files\MSSOAP
2009-05-01 00:55 . 2009-04-06 18:32 1563008 ----a-w c:\windows\WRSetup.dll
2009-05-01 00:55 . 2009-05-01 00:55 -------- d-----w c:\documents and settings\nishukurup\Application Data\Webroot
2009-05-01 00:55 . 2009-05-01 01:11 -------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-05-01 00:55 . 2009-05-01 00:55 -------- d-----w c:\program files\Webroot
2009-05-01 00:54 . 2009-05-01 02:55 164 ----a-w c:\windows\install.dat
2009-04-30 22:11 . 2009-05-01 12:24 -------- d-----w c:\program files\Unlocker
2009-04-25 19:35 . 2009-04-25 19:35 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-22 14:01 . 2009-04-22 14:01 -------- d-sh--w c:\documents and settings\nishukurup\IECompatCache
2009-04-21 19:34 . 2009-04-21 19:34 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-21 00:43 . 2009-04-21 00:43 -------- d-sh--w c:\documents and settings\nishukurup\PrivacIE
2009-04-21 00:40 . 2009-04-21 00:40 -------- d-sh--w c:\documents and settings\nishukurup\IETldCache
2009-04-21 00:40 . 2009-04-21 00:40 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-21 00:35 . 2009-04-21 00:35 -------- d-----w c:\windows\ie8updates
2009-04-21 00:30 . 2009-04-21 00:32 -------- dc-h--w c:\windows\ie8
2009-04-21 00:28 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-04-14 19:13 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:13 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-14 19:13 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 19:13 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 19:13 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 19:13 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:13 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:13 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:13 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 19:13 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 19:13 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 19:13 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 03:02 . 2009-04-14 03:02 -------- d-----w c:\program files\Trend Micro
2009-04-14 02:36 . 2009-04-14 02:36 -------- d-----w c:\windows\system32\scripting
2009-04-14 02:36 . 2009-04-14 02:36 -------- d-----w c:\windows\l2schemas
2009-04-14 02:36 . 2009-04-14 02:36 -------- d-----w c:\windows\system32\en
2009-04-14 02:36 . 2009-04-14 02:36 -------- d-----w c:\windows\system32\bits
2009-04-14 02:33 . 2009-04-14 02:33 -------- d-----w c:\windows\ServicePackFiles
2009-04-14 02:24 . 2009-04-14 02:24 -------- d-----w c:\windows\EHome
2009-04-12 00:52 . 2009-04-12 00:52 -------- d-----w c:\windows\system32\Dell
2009-04-12 00:49 . 2009-04-12 00:49 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-04-12 00:48 . 2009-04-12 00:48 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-12 00:40 . 2009-04-12 00:49 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-11 20:05 . 2009-04-11 20:05 -------- d-----w c:\documents and settings\nishukurup\Application Data\Malwarebytes
2009-04-11 20:05 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 20:05 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 20:05 . 2009-04-11 20:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 20:05 . 2009-04-11 20:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 18:38 . 2009-04-12 01:32 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-06 13:39 . 2009-04-06 13:39 -------- d-----w c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 00:05 . 2005-06-29 02:17 40 ----a-w c:\windows\system32\profile.dat
2009-05-05 05:41 . 2005-02-16 02:57 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-05 05:03 . 2008-04-24 22:48 -------- d-----w c:\program files\Enigma Software Group
2009-05-05 05:00 . 2005-02-15 23:08 101704 ----a-w c:\documents and settings\nishukurup\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-05 04:47 . 2005-02-10 00:34 -------- d-----w c:\program files\Java
2009-05-05 03:21 . 2007-01-02 12:32 -------- d-----w c:\program files\iTunes
2009-05-05 03:21 . 2007-01-02 12:30 -------- d-----w c:\program files\QuickTime
2009-05-05 03:21 . 2005-02-10 00:22 -------- d-----w c:\program files\Apoint
2009-05-01 07:47 . 2005-05-07 07:07 -------- d-----w c:\program files\CornellLog
2009-05-01 02:59 . 2009-05-01 02:59 775168 ----a-w c:\windows\isRS-000.tmp
2009-05-01 00:12 . 2005-02-10 00:26 88683 ----a-w c:\windows\system32\nvModes.dat
2009-04-25 22:45 . 2005-03-08 00:20 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-14 02:40 . 2004-08-10 19:13 79123 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-04-12 00:52 . 2005-02-10 00:35 -------- d-----w c:\program files\Dell
2009-04-02 19:30 . 2009-04-02 19:30 176752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 19:30 . 2009-04-02 19:30 23152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-02 19:30 . 2009-04-02 19:30 29808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-18 06:32 . 2005-02-21 07:07 -------- d-----w c:\program files\DivX
2009-03-18 06:31 . 2009-03-18 06:31 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-08 10:34 . 2004-08-04 11:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 10:34 . 2004-08-04 11:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 10:33 . 2004-08-04 11:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 10:33 . 2004-08-04 11:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 10:32 . 2004-08-04 11:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 10:32 . 2004-08-04 11:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 10:31 . 2004-08-04 11:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 10:31 . 2004-08-04 11:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 10:31 . 2004-08-04 11:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 10:22 . 2004-08-04 11:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 11:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 01:02 . 1980-01-01 06:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 1980-01-01 06:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\system32\sc.exe
2005-03-10 21:38 . 2005-03-10 21:38 0 ----a-w c:\program files\update.ini
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-06-02 22:59 . 2005-02-16 00:41 61038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-06-02 22:59 . 2005-02-16 00:41 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-02 22:59 . 2005-02-16 00:41 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-05_05.26.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-02-15 23:00 . 2009-05-06 00:06 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-02-15 23:00 . 2009-05-05 05:23 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-02-15 23:00 . 2009-05-06 00:06 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-02-15 23:00 . 2009-05-05 05:23 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-02-15 23:00 . 2009-05-06 00:06 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2005-02-15 23:00 . 2009-05-05 05:23 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-04-21 00:40 . 2009-05-06 00:06 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2009-04-21 00:40 . 2009-05-05 05:23 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 68856]
"Google Update"="c:\documents and settings\nishukurup\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-07 7118848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 148888]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2005-07-07 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\SYSTEM32\nvmctray.dll [2005-07-07 86016]
"bacstray"="BacsTray.exe" - c:\windows\SYSTEM32\BacsTray.exe [2003-05-15 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\WINDOWS\\SideCar.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\ABAQUS\\6.4-1\\cae\\exec\\HKSker.exe"=
"c:\\Program Files\\CU Services\\JtF.exe"=
"c:\\Program Files\\Bear Access\\winba\\ws_ftp\\ws_ftp32.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ans_admin.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970_DP.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\lsprepostd.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitest.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitestmpich.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\sxpost.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYS\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYSMPICH\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\catia\\Intel\\ac4catia.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\CATIAV5\\Intel\\code\\bin\\ac4catia5.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\para\\Intel\\ac4para.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\pro\\Intel\\ac4pro.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\sat\\Intel\\ac4sat.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug10\\Intel\\ansconug10.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug20\\Intel\\ansconug20.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug30\\Intel\\ansconug30.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [4/2/2009 2:30 PM 29808]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [5/5/2006 12:33 PM 909312]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [4/30/2009 7:58 PM 1181040]
R3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [5/5/2009 1:34 PM 101936]
S2 RedSwooshService;RedSwooshService;c:\windows\System32\svchost.exe -k RedSwooshService [8/4/2004 6:00 AM 14336]
S3 DXE201;Dynex DX-E201 CardBus PC Card;c:\windows\SYSTEM32\DRIVERS\DXE201.SYS [2/3/2007 10:39 PM 25434]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [4/17/2005 11:30 AM 124608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
RedSwooshService REG_MULTI_SZ RedSwooshService

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-14 23:39]

2009-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-987541803-1571034566-3504543676-1006.job
- c:\documents and settings\nishukurup\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-01 03:55]

2005-06-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-02-16 21:32]

2009-05-01 c:\windows\Tasks\wrSpySweeper_L489BAB3BA9714273B8A001CF500C8F8B.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-05-01 18:32]

2009-05-01 c:\windows\Tasks\wrSpySweeper_L489BAB3BA9714273B8A001CF500C8F8B.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-05-01 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.people.cornell.edu/pages/nvk2/personallinks.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\nishukurup\Application Data\Mozilla\Firefox\Profiles\l711bwq0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.people.cornell.edu/pages/nvk2/personallinks.html
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\nishukurup\Application Data\Mozilla\Firefox\Profiles\l711bwq0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\nishukurup\Application Data\Mozilla\Firefox\Profiles\l711bwq0.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh2", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 19:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ **]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ **]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ **]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2944)
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\matlab6p5\webserver\bin\win32\matlabserver.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
c:\matlab6p5\bin\win32\matlab.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-05-06 19:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 00:13
ComboFix2.txt 2009-05-05 05:32

Pre-Run: 29,898,391,552 bytes free
Post-Run: 30,185,230,336 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,6
310 --- E O F --- 2009-04-15 09:06




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users