Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

May Be It's Mr. Vundo


  • Please log in to reply
34 replies to this topic

#1 WISDOM01

WISDOM01

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 08 June 2007 - 01:48 PM

I am posting the H*jackThis Log file.... This goes with my earlier thread at:
http://www.bleepingcomputer.com/forums/t/95274/something-weird-about-vundo/



Logfile of H*jackThis v1.99.1
Scan saved at 12:03:53 AM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Adobe Reader\Distillr\acrotray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
D:\Program Files\DAP\DAP.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\clcr.exe
K:\hijackthis\abc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =

http://in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://in.rediff.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://in.rediff.com/index.html
R3 - URLSearchHook: (no name) - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - (no

file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

F:\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -

F:\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

D:\Adobe Reader\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: OwlForce - {37E1A9E5-00D4-4203-8E58-B91F383A3809} -

F:\Globe7\Owlforce\Owlforce.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

- F:\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} -

C:\WINDOWS\system32\kvhagqhl.dll
O2 - BHO: (no name) - {93610CD9-174B-4666-A8C9-ED2071E6C48F} -

C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910}

- D:\Adobe Reader\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -

F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe

Reader\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

F:\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nxpclient] C:\Program Files\Airtel\NetXpert

Agent\bin\sprtcmd.exe /P nxpclient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [j8221634] rundll32 C:\WINDOWS\system32\j8221634.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe

"C:\WINDOWS\system32\ynqurgkc.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DA] F:\DesktopAssistant\DA.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE"

-quiet
O4 - HKCU\..\Run: [Magic Notes] "F:\Magic Notes\Sticky32.exe"
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe

Reader\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy

Package\dapcleanerie.htm
O8 - Extra context menu item: &Dictionary -

http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program

Files\DAP\dapextie.htm
O8 - Extra context menu item: &Encyclopedia -

http://files.db3nf.com/scripts/ie-e.htm
O8 - Extra context menu item: &Yahoo! Search -

file:///F:\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program

Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///F:\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///F:\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -

file:///F:\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

F:\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

- E:\PROGRA~1\YAHOO!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

E:\PROGRA~1\YAHOO!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -

http://downloads.ewido.net/ewidoOnlineScan.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{30E73DAC-647C-48A8-9341-35CD9462E19B}:

NameServer = 202.56.215.6,202.56.230.6
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program

Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: afffdbbbbe - C:\WINDOWS\system32\afffdbbbbe.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\clk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpva32 - winpva32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner -

F:\Quartus\win\JTAGServer.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec

Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -

Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHomeAgent - oracle - e:\Oracle\Ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHomeClientCache - Unknown owner -

e:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHomeDataGatherer - Unknown owner -

e:\Oracle\Ora81\bin\vppdc.exe
O23 - Service: OracleOraHomeTNSListener - Unknown owner -

e:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation -

e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleWebAssistant1 - Oracle Corporation -

e:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - F:\Tomcat

5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)



Ask me if u want to clarify anything. I occasionally close some applications/processes which i dont like through control panel.
Also, this LogFile has been created after closing Explorer.exe. So, plz keep that in mind.....

BC AdBot (Login to Remove)

 


#2 therock247uk

therock247uk

    Malware Killer


  • Malware Response Team
  • 154 posts
  • OFFLINE
  •  
  • Location:Newark, Nottingham, UK
  • Local time:08:24 AM

Posted 08 June 2007 - 01:50 PM

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

#3 WISDOM01

WISDOM01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 08 June 2007 - 02:05 PM

This is the VundoFix log file...clk.dll is till in my computer although Vundo no longer shows it in its list.
PLEASE NOTE I HV NO JAVA INSTALLED ON MY COMPUTER. I HV UNINSTALLED EVERY BIT OF IT AT THE PRESENT MOMENT FROM THE CONTROL PANEL.


VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.11

Scan started at 12:41:48 AM 6/8/2007

Listing files found while scanning....

C:\WINDOWS\system32\clk.dll
C:\WINDOWS\system32\hbnovgls.dll
C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\orqss.tmp
C:\WINDOWS\system32\ssqro.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\clk.dll
C:\WINDOWS\system32\clk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\orqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\orqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\orqss.tmp
C:\WINDOWS\system32\orqss.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\ssqro.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\clk.dll
C:\WINDOWS\system32\clk.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.11

Scan started at 1:34:59 AM 6/8/2007

Listing files found while scanning....


VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.11

Scan started at 2:00:11 AM 6/8/2007

Listing files found while scanning....

C:\WINDOWS\system32\clk.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\clk.dll
C:\WINDOWS\system32\clk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\clk.dll
C:\WINDOWS\system32\clk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Edited by WISDOM01, 08 June 2007 - 02:09 PM.


#4 therock247uk

therock247uk

    Malware Killer


  • Malware Response Team
  • 154 posts
  • OFFLINE
  •  
  • Location:Newark, Nottingham, UK
  • Local time:08:24 AM

Posted 08 June 2007 - 02:29 PM

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#5 WISDOM01

WISDOM01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 09 June 2007 - 04:18 AM

NOTE: Wherever u see C*mboFix - replace * with 'o'

Hi therock,
I have tried to run C*mboFix twice. After 5 mins of starting it, it displays me the msg "Almost done....your log file wud be produced at... (the screen shot attached with this post) "

After that, i waited for more than 3 hours (yes!!) and nothing actually happened except I got a 53 MB folder at C:\C*mboFix and one 300 kb C:\QooBox

No Log file is unfortunately produced.

I am pasting this text file that I found in C:\C*mboFix\C*mboFix.txt

***

"Vivek Malhotra" - 2007-06-09 14:06:13 Service Pack 2
ComboFix 07-06-3B - Running from: ""

/wow section not completed

((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-06 07:54:06 -------- d-----w C:\Program Files\Airtel
2007-05-06 07:53:42 -------- d-----w C:\Program Files\Common Files\SupportSoft
2007-04-25 14:12:58 1 ---ha-w C:\WINDOWS\system32\m3.dll
2007-04-25 09:46:30 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2007-03-28 13:11:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-28 13:11:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=F:\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-07 16:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Adobe Reader\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 00:47]
{37E1A9E5-00D4-4203-8E58-B91F383A3809}=F:\Globe7\Owlforce\Owlforce.dll [2006-10-02 10:35]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=F:\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{92A444D2-F945-4dd9-89A1-896A6C2D8D22}=C:\WINDOWS\system32\kvhagqhl.dll [2007-06-07 13:43]
{93610CD9-174B-4666-A8C9-ED2071E6C48F}=C:\WINDOWS\system32\ssqro.dll []
{AE7CD045-E861-484f-8273-0445EE161910}=D:\Adobe Reader\Acrobat\AcroIEFavClient.dll [2003-05-15 01:03]
{BDF3E430-B101-42AD-A544-FADC6B084872}=F:\Program Files\Norton AntiVirus\NavShExt.dll [2005-10-19 12:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nxpclient"="C:\Program Files\Airtel\NetXpert Agent\bin\sprtcmd.exe" [2007-01-11 12:19]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"DA"="F:\DesktopAssistant\DA.exe" [2006-07-14 13:24]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"Magic Notes"="F:\Magic Notes\Sticky32.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{AF0BE91A-D92D-44F5-9581-64F629762E5A}"="C:\WINDOWS\system32\clk.dll" [2007-06-08 01:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afffdbbbbe]
C:\WINDOWS\system32\afffdbbbbe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\notifyc]
C:\WINDOWS\system32\clk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpva32]
winpva32.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaf0b3c4-b834-11da-bf0f-00085c554f0a}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NETSVCS.EXE
_\command- NETSVCS.EXE


Contents of the 'Scheduled Tasks' folder
2007-06-01 14:30:08 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Vivek Malhotra.job


**************************************************************************************

And here's the HijackTHis log file

Logfile of HijackThis v1.99.1
Scan saved at 02:30:15 PM, on 2007-06-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
F:\Quartus\win\JTAGServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
e:\Oracle\Ora81\BIN\TNSLSNR.exe
e:\oracle\ora81\bin\ORACLE.EXE
e:\Oracle\Ora81\BIN\OWASTSVR.EXE
e:\Oracle\Ora81\bin\oradim.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Airtel\NetXpert Agent\bin\sprtcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
F:\DesktopAssistant\DA.exe
D:\Adobe Reader\Distillr\acrotray.exe
C:\WINDOWS\system32\clcr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\taskmgr.exe
K:\HijackThis\abc.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: OwlForce - {37E1A9E5-00D4-4203-8E58-B91F383A3809} - F:\Globe7\Owlforce\Owlforce.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\kvhagqhl.dll
O2 - BHO: (no name) - {93610CD9-174B-4666-A8C9-ED2071E6C48F} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe Reader\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe Reader\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nxpclient] C:\Program Files\Airtel\NetXpert Agent\bin\sprtcmd.exe /P nxpclient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DA] F:\DesktopAssistant\DA.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Magic Notes] "F:\Magic Notes\Sticky32.exe"
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe Reader\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30E73DAC-647C-48A8-9341-35CD9462E19B}: NameServer = 202.56.215.6,202.56.230.6
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: afffdbbbbe - C:\WINDOWS\system32\afffdbbbbe.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\clk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpva32 - winpva32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - F:\Quartus\win\JTAGServer.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHomeAgent - oracle - e:\Oracle\Ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHomeClientCache - Unknown owner - e:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHomeDataGatherer - Unknown owner - e:\Oracle\Ora81\bin\vppdc.exe
O23 - Service: OracleOraHomeTNSListener - Unknown owner - e:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleWebAssistant1 - Oracle Corporation - e:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - F:\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

*****************************

You may be surprised to know that I created a new text file and named it as C*mboFix. The file automatically closed. And yes, the file was empty, not even a single character in it.

One more thing that I would like to put here is every time I run this thing(C*mboFix etc), my time settings is automaticaaly changed to hh:mm format!!! why so? :thumbsup:

Attached Files


Edited by WISDOM01, 09 June 2007 - 04:23 AM.


#6 therock247uk

therock247uk

    Malware Killer


  • Malware Response Team
  • 154 posts
  • OFFLINE
  •  
  • Location:Newark, Nottingham, UK
  • Local time:08:24 AM

Posted 09 June 2007 - 10:02 AM

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

#7 WISDOM01

WISDOM01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 09 June 2007 - 01:18 PM

Hi therock, I tried to run winPfind in SAFE MODE but it refused to run and instead gave some errors - the screen shot of which I hv enclosed with this post.

Can u tell why even WINPfind has refused to run and before that ComboFIx was also not running??

Also, I tried to run WinPfind after closing explorer.exe in safe mode but with no success... :thumbsup:
And yes, clcr.exe was there in safe mode also.

Plz Reply soon...


WILL SOMEONE GUIDE ME WHAT TO DO NEXT? I AM DESPERATELY WAITING FOR YOUR VALUABLE REPLIES.

Attached Files

  • Attached File  err.JPG   9.8KB   13 downloads
  • Attached File  err2.JPG   11.59KB   13 downloads
  • Attached File  err3.JPG   9.8KB   12 downloads

Edited by WISDOM01, 10 June 2007 - 04:37 AM.


#8 therock247uk

therock247uk

    Malware Killer


  • Malware Response Team
  • 154 posts
  • OFFLINE
  •  
  • Location:Newark, Nottingham, UK
  • Local time:08:24 AM

Posted 10 June 2007 - 03:01 PM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


#9 WISDOM01

WISDOM01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 10 June 2007 - 03:33 PM

SDFix: Version 1.86

Run by Vivek Malhotra - 2007-06-11 - 1:38:06.31

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\VIVEKM~1\Desktop\SDFix\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\VIVEKM~1\LOCALS~1\Temp\win64.tmp.exe - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted
C:\DOCUME~1\VIVEKM~1\LOCALS~1\Temp\tmp*.tmp - Deleted
C:\DOCUME~1\VIVEKM~1\LOCALS~1\Temp\win*.tmp - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\VIVEKM~1\Desktop\SDFix\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\Administrator\NetHood\ftp.circuitcellar.com\Desktop.ini
C:\WINDOWS\system32\m3.dll
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT5.tmp
C:\Documents and Settings\All Users\Application Data\Microsoft\visualstudio\7.1\vs000223.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL0001.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL0004.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL1599.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL2794.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL1832.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL1609.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL0855.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL3754.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL0226.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL0987.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL0290.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL1033.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL1584.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL1761.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL0410.tmp
C:\Documents and Settings\All Users\Documents\New Folder (2)\~WRL1639.tmp
C:\Documents and Settings\Vivek Malhotra\Application Data\Microsoft\Word\~WRL3501.tmp

Listing User Accounts:

User accounts for \\VIVEK

ACTUser Administrator ASPNET
Guest HelpAssistant IUSR_VIVEK
IWAM_VIVEK SQLDebugger SUPPORT_388945a0
Vivek Malhotra VUSR_VIVEK WADM_VIVEK


Finished

*****************************************************************************************


Logfile of HijackThis v1.99.1
Scan saved at 01:53:54 AM, on 2007-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
e:\Oracle\Ora81\BIN\TNSLSNR.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\clcr.exe
F:\DesktopAssistant\DA.exe
D:\Adobe Reader\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\clcr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Vivek Malhotra\Application Data\Microsoft\Internet Explorer\Quick Launch\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
K:\hijackthis\abc.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: OwlForce - {37E1A9E5-00D4-4203-8E58-B91F383A3809} - F:\Globe7\Owlforce\Owlforce.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\kvhagqhl.dll
O2 - BHO: (no name) - {93610CD9-174B-4666-A8C9-ED2071E6C48F} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe Reader\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe Reader\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nxpclient] C:\Program Files\Airtel\NetXpert Agent\bin\sprtcmd.exe /P nxpclient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DA] F:\DesktopAssistant\DA.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Magic Notes] "F:\Magic Notes\Sticky32.exe"
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe Reader\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30E73DAC-647C-48A8-9341-35CD9462E19B}: NameServer = 202.56.215.6,202.56.230.6
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: afffdbbbbe - C:\WINDOWS\system32\afffdbbbbe.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\clk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpva32 - winpva32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - F:\Quartus\win\JTAGServer.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHomeAgent - oracle - e:\Oracle\Ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHomeClientCache - Unknown owner - e:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHomeDataGatherer - Unknown owner - e:\Oracle\Ora81\bin\vppdc.exe
O23 - Service: OracleOraHomeTNSListener - Unknown owner - e:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleWebAssistant1 - Oracle Corporation - e:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - F:\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

#10 therock247uk

therock247uk

    Malware Killer


  • Malware Response Team
  • 154 posts
  • OFFLINE
  •  
  • Location:Newark, Nottingham, UK
  • Local time:08:24 AM

Posted 10 June 2007 - 03:49 PM

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\system32\m3.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File


#11 WISDOM01

WISDOM01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 11 June 2007 - 03:42 AM

therock, I hv submitted the file as instructed.

thx for your time.

#12 therock247uk

therock247uk

    Malware Killer


  • Malware Response Team
  • 154 posts
  • OFFLINE
  •  
  • Location:Newark, Nottingham, UK
  • Local time:08:24 AM

Posted 11 June 2007 - 09:04 AM

Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c\windelf.txt, along with a new hijackhislog.

#13 WISDOM01

WISDOM01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 11 June 2007 - 10:55 AM

WIN32DELFKIL LOGFILE - by Marckie


version 3.127
2007-06-11 21:14:46.10
running from: "C:\Documents and Settings\Vivek Malhotra\Desktop"


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{AF0BE91A-D92D-44F5-9581-64F629762E5A}"=""



--- sharedtaskkey (1): AF0BE91A-D92D-44F5-9581-64F629762E5A ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF0BE91A-D92D-44F5-9581-64F629762E5A}]
@="C:\\WINDOWS\\system32\\clk.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF0BE91A-D92D-44F5-9581-64F629762E5A}\InprocServer32]
@="C:\\WINDOWS\\system32\\clk.dll"
"ThreadingModel"="Apartment"

checking for file:
clk.dll found
clk.dll deleted!

--- Notify key ---


--- rebooting the computer ---


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskSchedulerkey ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--- Notify key ---

Finished!
***********************************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 09:19:58 PM, on 2007-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
F:\Quartus\win\JTAGServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\notepad.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
e:\Oracle\Ora81\BIN\TNSLSNR.exe
C:\Program Files\Airtel\NetXpert Agent\bin\sprtcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
F:\DesktopAssistant\DA.exe
e:\oracle\ora81\bin\ORACLE.EXE
D:\Adobe Reader\Distillr\acrotray.exe
e:\Oracle\Ora81\BIN\OWASTSVR.EXE
e:\Oracle\Ora81\bin\oradim.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\NOTEPAD.EXE
K:\hijackthis\abc.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: OwlForce - {37E1A9E5-00D4-4203-8E58-B91F383A3809} - F:\Globe7\Owlforce\Owlforce.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\kvhagqhl.dll
O2 - BHO: (no name) - {93610CD9-174B-4666-A8C9-ED2071E6C48F} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe Reader\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe Reader\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nxpclient] C:\Program Files\Airtel\NetXpert Agent\bin\sprtcmd.exe /P nxpclient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DA] F:\DesktopAssistant\DA.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Magic Notes] "F:\Magic Notes\Sticky32.exe"
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe Reader\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30E73DAC-647C-48A8-9341-35CD9462E19B}: NameServer = 202.56.215.6,202.56.230.6
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: afffdbbbbe - C:\WINDOWS\system32\afffdbbbbe.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\clk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpva32 - winpva32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - F:\Quartus\win\JTAGServer.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHomeAgent - oracle - e:\Oracle\Ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHomeClientCache - Unknown owner - e:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHomeDataGatherer - Unknown owner - e:\Oracle\Ora81\bin\vppdc.exe
O23 - Service: OracleOraHomeTNSListener - Unknown owner - e:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleWebAssistant1 - Oracle Corporation - e:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - F:\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

#14 WISDOM01

WISDOM01
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 11 June 2007 - 11:10 AM

Heyyyyy therock,

I dont know whether there is still anything wrong with my system or not but I can visit all those sites which earlier used to be automatically closed which means now I can visit ur site, norton's site, can open the text file titled ComboFix etc and there's no clcr.exe now in my system which means hurray...a big hurray perhaps..... and also now i dont need to close explorer.exe to run hijackthis etc etc

Just amazing... waiting for ur analysis of logfiles that I posted before. Do u see anything wrong with my system now? And if not, Can u tell me how to protect it in future? I have always used norton anti virus... Also, I read somewhere that this Vundo virus had come due to some loophole in java and presently, I dont have any java installed on my computer. I had to uninstall it due to lack of space and this virus problem arose then after I uninstalled java...... Please Guide.

#15 therock247uk

therock247uk

    Malware Killer


  • Malware Response Team
  • 154 posts
  • OFFLINE
  •  
  • Location:Newark, Nottingham, UK
  • Local time:08:24 AM

Posted 11 June 2007 - 09:42 PM

Can you please run Vundofix again?

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users