Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log


  • Please log in to reply
14 replies to this topic

#1 Charley Chacko

Charley Chacko

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 30 April 2009 - 12:08 PM

Please review my HJT log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:16 PM, on 4/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Mcshield.exe
D:\Program Files\VsTskMgr.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
D:\Program Files\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
D:\Program Files\PowerDVD\PDVDServ.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program Files\ThunMail\testabd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Orbitdownloader\orbitdm.exe
D:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\explorer.exe
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - D:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "D:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccleaner] "D:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader\reader_sl.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aim.exe
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232644155546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235484780031
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAAE11B3-79D2-44C6-B0F3-A061F8199572}: NameServer = 61.1.96.69,61.1.96.71
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7796 bytes

BC AdBot (Login to Remove)

 


#2 Charley Chacko

Charley Chacko
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 30 April 2009 - 12:16 PM

Here is my DDS report & attach zip file. I saw this from another thread here, so it would save time.



DDS (Ver_09-03-16.01) - NTFSx86
Run by Mr.Charley Chacko at 22:43:59.27 on Thu 04/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2036.770 [GMT 5.5:30]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Mcshield.exe
D:\Program Files\VsTskMgr.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
D:\Program Files\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
D:\Program Files\PowerDVD\PDVDServ.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program Files\ThunMail\testabd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Orbitdownloader\orbitdm.exe
D:\Program Files\Orbitdownloader\orbitnet.exe
C:\Documents and Settings\Mr.Charley Chacko\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - d:\program files\orbitdownloader\orbitcth.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - d:\program files\orbitdownloader\GrabPro.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ccleaner] "d:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [McAfeeUpdaterUI] "d:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Nitro PDF Printer Monitor] "d:\program files\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [ShStatEXE] "d:\program files\SHSTAT.EXE" /STANDALONE
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [RemoteControl] "d:\program files\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "d:\program files\powerdvd\language\Language.exe"
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
dRun: [svc] c:\program files\thunmail\testabd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - d:\program files\adobe\reader\reader_sl.exe
IE: &Download by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - d:\progra~1\office11\EXCEL.EXE/3000
IE: {6224f700-cba3-4071-b251-47cb894244cd} - d:\progra~1\icq\ICQ.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - d:\program files\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\office11\REFIEBAR.DLL
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232644155546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235484780031
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {cafeefac-0016-0000-0013-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {BAAE11B3-79D2-44C6-B0F3-A061F8199572} = 61.1.96.69,61.1.96.71
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2009-3-4 58464]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-18 55152]
R2 McAfeeFramework;McAfee Framework Service;d:\program files\network associates\common framework\FrameworkService.exe [2009-1-22 102463]
R2 McShield;Network Associates McShield;d:\program files\Mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;d:\program files\VsTskMgr.exe [2004-9-22 28672]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2009-3-4 108480]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-21 9344]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 StudioPro;StudioPro webcam;c:\windows\system32\drivers\StudioPro.sys [2009-1-23 120320]
S3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-1-23 38784]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2009-04-30 22:42 <DIR> --d----- C:\quarantine
2009-04-30 20:16 <DIR> --d----- c:\windows\pss
2009-04-30 15:19 <DIR> --dshr-- c:\program files\ThunMail
2009-04-30 13:56 <DIR> --d----- c:\docume~1\mrc0f3~1.cha\applic~1\Malwarebytes
2009-04-30 13:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-30 13:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 13:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-30 13:07 38,400 a------- c:\windows\system32\localtestn.exe
2009-04-30 13:07 22,528 a------- c:\windows\system32\localtest.exe
2009-04-30 13:07 3,584 a--sh--- c:\windows\system32\localtest.dll
2009-04-29 18:57 5 a------- c:\windows\system32\_id.dat
2009-04-28 20:03 4,952 a------- c:\windows\system32\tbxisv.key
2009-04-24 18:51 299,520 a------- c:\windows\uninst.exe
2009-04-24 18:51 <DIR> --d----- c:\documents and settings\mr.charley chacko\WINDOWS
2009-04-23 20:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Readon
2009-04-20 20:16 5 a------- c:\windows\d.ini
2009-04-20 20:16 210 a------- c:\windows\GooGleeee.vbs
2009-04-12 20:01 113,234 a------- c:\windows\system32\drivers\266e9c55.sys
2009-04-07 14:56 83,294 a------- c:\windows\system32\drivers\29399257.sys
2009-04-03 20:24 <DIR> --d----- c:\docume~1\mrc0f3~1.cha\applic~1\MRTalk

==================== Find3M ====================

2009-03-17 16:06 1,993,386 a------- c:\windows\XSitePro2 Resource Pack 1 Uninstaller.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 15:42 839,238 a------- c:\windows\XSitePro2 Uninstaller.exe
2009-02-20 13:41 75,264 a------- c:\windows\cadkasdeinst01e.exe
2009-02-11 21:02 457 a------- c:\program files\INSTALL.LOG
2009-02-06 19:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll

============= FINISH: 22:44:22.44 ===============

Attached Files


Edited by Charley Chacko, 30 April 2009 - 12:19 PM.


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:23 PM

Posted 13 May 2009 - 02:15 AM

Hello Charley Chacko,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 Charley Chacko

Charley Chacko
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 13 May 2009 - 05:58 AM

Please see the Report Below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:04 PM, on 5/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
D:\Program Files\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
D:\Program Files\PowerDVD\PDVDServ.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\VsTskMgr.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Maxthon\Maxthon.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Orbitdownloader\orbitdm.exe
D:\Program Files\Orbitdownloader\orbitnet.exe
D:\Program Files\Adobe\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - D:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "D:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccleaner] "D:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader\reader_sl.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aim.exe
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232644155546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235484780031
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAAE11B3-79D2-44C6-B0F3-A061F8199572}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: pplive 2008 (pplive_server_2008) - Unknown owner - C:\Program Files\pplive\pplives.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8617 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:23 PM

Posted 13 May 2009 - 07:02 AM

Hello,

Can you please tell me what problems you're having? :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Charley Chacko

Charley Chacko
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 14 May 2009 - 03:10 AM

I always see pop ups of Mcafee showing trojans. Also I scanned using Malware Bytes, Spyware Doctor, it showed me many entries, I cleaned them, but again after re-running the scan, it shows the same errors.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:23 PM

Posted 14 May 2009 - 09:39 AM

Hi there,

Can you please post the MBAM report for me? :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Charley Chacko

Charley Chacko
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 15 May 2009 - 02:42 AM

Below is the report using the Perform Quick Scan option.

Malwarebytes' Anti-Malware 1.36
Database version: 2132
Windows 5.1.2600 Service Pack 2

5/15/2009 1:07:02 PM
mbam-log-2009-05-15 (13-07-02).txt

Scan type: Quick Scan
Objects scanned: 75927
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yayxyvTM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vtUmJCUl.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3b85b88d-a4c0-4491-8244-4e4e681fb8dd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3b85b88d-a4c0-4491-8244-4e4e681fb8dd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtumjcul (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msncache (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayxyvtm -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayxyvtm -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yayxyvTM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\MTvyxyay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MTvyxyay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUmJCUl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tuvwWnKC.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WDEFW1EZ\d2x[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:23 PM

Posted 15 May 2009 - 05:20 AM

Hello,

Thanks for that. :thumbup2: I wanted to be sure before we run this :

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Also disable McAfee completely.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Charley Chacko

Charley Chacko
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 15 May 2009 - 07:11 AM

Could you tell me how to disable Mcafee ? Should I uninstall it ?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:23 PM

Posted 15 May 2009 - 07:14 AM

Actually that would be best for McAfee. It gives the most trouble among the AVs. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Charley Chacko

Charley Chacko
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 15 May 2009 - 12:22 PM

I uninstalled Mcafee. I cannot run Spybot S&D, it is greyed out, it was working before uninstalling Mcafee. Here is a screenshot. Also, want you to know, that none of the .exe files are working after uninstalling Mcafee.

Posted Image

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:23 PM

Posted 15 May 2009 - 10:14 PM

Can you run ComboFix?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Charley Chacko

Charley Chacko
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 16 May 2009 - 03:50 AM

Here is a screenshot of ComboFix. It is idle, I waited for 5 minutes. Also look at the icons in the quick launch bar, they are not working after uninstalling Mcafee.

Posted Image

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:23 PM

Posted 17 May 2009 - 01:55 AM

Hello,

Try reinstalling McAfee and see if that gets things to working again, then run ComboFix.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users