[mithpat]

hi,

i have problem opening flash media in browser both IE and Mozilla Firefox. i tried running AVG anti virus but it hasn't solved the problem.
i attaching the log of hijackthis. please help me solve this porblem


Mitesh

Attached Files

•  hijackthis.txt   2.28KB   125 downloads

Edited by mithpat, 28 March 2008 - 06:46 AM.

[Advertisements]

Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

Sorry for the delay, as you can tell we are very busy here. Also please be sure to post all logs right into your reply (NOT as an attachment) it makes it easier for me to read.


So lets get started


ComboFix

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


===============================================


Deckard's System Scanner

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

===============================================

Needed in your next reply:

ComboFix.txt
Deckard's System Scanner main.txt and extra.txt

[BHowett]

Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

Sorry for the delay, as you can tell we are very busy here. Also please be sure to post all logs right into your reply (NOT as an attachment) it makes it easier for me to read.


So lets get started


ComboFix

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


===============================================


Deckard's System Scanner

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

===============================================

Needed in your next reply:

ComboFix.txt
Deckard's System Scanner main.txt and extra.txt

[mithpat]

Hi,

I am sorry for the delay in getting these logs.

Combifix did not run on my pc for all these days, I had to get someone to do that for me.

DSS, only gave me one txt file. Please tell me if I did something wrong. Here are the logs


Combifix.txt

ComboFix 08-04-07.3 - Bullet Mehta 2008-04-16 10:20:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.399 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\g2mdlhlpx.exe
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\TXC38.sys
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550O
-------\Legacy_CCEVTSVC
-------\Legacy_MSUPDATE
-------\Legacy_SYSLIBRARY
-------\Legacy_TXC38
-------\Service_asc3550o
-------\Service_CcEvtSvc
-------\Service_msupdate
-------\Service_SysLibrary
-------\Service_Txc38
-------\Service_TXC38


((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-14 14:50 . 2008-04-14 14:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-11 15:43 . 2008-04-11 15:43 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-28 18:03 . 2008-03-28 18:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-27 14:22 . 2008-03-27 14:22 <DIR> d-------- C:\Program Files\Avanquest update
2008-03-27 14:22 . 2008-03-27 14:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 13:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-03-27 08:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 08:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-20 06:18 --------- d-----w C:\Program Files\Java
2008-03-13 08:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-03-11 07:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8
2008-03-06 04:02 --------- d-----w C:\Program Files\Common Files\L&H
2008-03-06 04:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-06 03:59 --------- d-----w C:\Program Files\Microsoft Works
2008-03-01 11:09 --------- d-----w C:\Program Files\Google
2008-03-01 11:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-01 11:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-01 11:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 11:04 --------- d-----w C:\Program Files\AVG
2008-03-01 07:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-29 11:21 --------- d-----w C:\Program Files\AdminMagic Service
2008-02-16 10:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NUnit
2008-02-16 09:48 --------- d-----w C:\Program Files\NUnit 2.4.6
2007-06-26 11:55 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-06-26 11:55 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-06-26 11:55 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-06-26 11:55 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-06-26 11:55 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-06-26 11:55 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-06-26 11:55 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-06-26 11:55 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-06-26 11:55 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 17:30 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^My Marketing Manager.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\My Marketing Manager.lnk
backup=C:\WINDOWS\pss\My Marketing Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pandion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pandion.lnk
backup=C:\WINDOWS\pss\Pandion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 17:30 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C45 Series]
--a------ 2004-01-14 14:30 99840 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series]
--a------ 2007-07-10 17:18 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series on wian80 (from WIAN96)]
--a------ 2007-07-10 17:18 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series on wian91 (from WIAN96)]
--a------ 2007-07-10 17:18 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2005-04-25 07:59 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2005-04-10 18:43 2904660 D:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2005-04-25 08:02 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-20 01:24 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
-ra------ 2005-04-25 08:02 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-26 21:10 155648 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
--a------ 2006-04-14 04:39 163328 E:\Program Files\Spark\Spark.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-04-13 02:31 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DefWatch"=2 (0x2)
"SavRoam"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"TlntSvr"=3 (0x3)
"Spooler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\Program Files\\Spark\\Spark.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"D:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"E:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 AdminMagic;AdminMagic Service ((44185,1114));C:\Program Files\AdminMagic Service\RepSvc.exe []
S3 FXDRV;FXDRV;F:\Fxdrv.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13ee2923-68d6-11dc-9e45-00016ccdb3a6}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16b60f7a-91b8-11dc-9e80-00016ccdb3a6}]
\Shell\Auto\command - sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56740012-0474-11dd-9f1e-00016ccdb3a6}]
\Shell\AutoRun\command - wscript.exe VirusRemoval.vbs
\Shell\open\Command - wscript.exe VirusRemoval.vbs

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 10:26:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2008-04-16 10:27:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 04:57:50
Pre-Run: 5,155,921,920 bytes free
Post-Run: 5,632,163,840 bytes free
.
2007-10-25 07:35:49 --- E O F ---



DSS - Main.txt

Deckard's System Scanner v20071014.68
Run by Bullet Mehta on 2008-04-16 10:29:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Bullet Mehta.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:09 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\BULLET~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O17 - HKLM\Software\..\Telephony: DomainName = domain.wiantech.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFC63297-5C08-4882-96E8-4DEC98786D44}: NameServer = 59.144.127.16,202.254.1.18,59.144.127.17,203.197.12.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O23 - Service: AdminMagic Service ((44185,1114)) (AdminMagic) - Unknown owner - C:\Program Files\AdminMagic Service\RepSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 2266 bytes

-- Files created between 2008-03-16 and 2008-04-16 -----------------------------

2008-04-16 10:28:03 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-16 10:19:06 68096 --a------ C:\WINDOWS\zip.exe
2008-04-16 10:19:06 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-16 10:19:06 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-16 10:19:06 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-16 10:19:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-16 10:19:06 98816 --a------ C:\WINDOWS\sed.exe
2008-04-16 10:19:06 80412 --a------ C:\WINDOWS\grep.exe
2008-04-16 10:19:06 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-14 14:50:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-11 15:43:28 0 d-------- C:\Program Files\ReflexiveArcade
2008-03-28 18:03:10 0 d-------- C:\Program Files\Trend Micro
2008-03-27 14:22:40 0 d-------- C:\Program Files\Avanquest update
2008-03-27 14:22:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield


-- Find3M Report ---------------------------------------------------------------

2008-04-15 18:34:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2008-03-27 14:22:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-20 11:48:51 0 d-------- C:\Program Files\Java
2008-03-13 13:40:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-03-13 13:09:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-03-06 09:32:32 0 d-------- C:\Program Files\Common Files\L&H
2008-03-06 09:31:36 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-06 09:29:56 0 d-------- C:\Program Files\Common Files
2008-03-06 09:29:37 0 d-------- C:\Program Files\Microsoft Works
2008-03-01 16:39:58 0 d-------- C:\Program Files\Google
2008-03-01 16:39:57 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-01 16:37:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 16:34:47 0 d-------- C:\Program Files\AVG
2008-03-01 12:52:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-29 16:51:07 0 d-------- C:\Program Files\AdminMagic Service
2008-02-23 12:49:07 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-16 16:10:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\NUnit
2008-02-16 15:18:03 0 d-------- C:\Program Files\NUnit 2.4.6


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 05:30 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^My Marketing Manager.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\My Marketing Manager.lnk
backup=C:\WINDOWS\pss\My Marketing Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pandion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pandion.lnk
backup=C:\WINDOWS\pss\Pandion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C45 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /F "C:\WINDOWS\TEMP\E_SAB.tmp" /EF "HKLM"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series on wian80 (from WIAN96)]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /F "C:\WINDOWS\TEMP\E_S7.tmp" /EF "HKLM"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series on wian91 (from WIAN96)]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /F "C:\WINDOWS\TEMP\E_S32.tmp" /EF "HKLM"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
D:\Program Files\ICQLite\ICQLite.exe -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
E:\Program Files\Spark\Spark.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DefWatch"=2 (0x2)
"SavRoam"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"TlntSvr"=3 (0x3)
"Spooler"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13ee2923-68d6-11dc-9e45-00016ccdb3a6}]
AutoRun\command- H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16b60f7a-91b8-11dc-9e80-00016ccdb3a6}]
Auto\command- sal.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56740012-0474-11dd-9f1e-00016ccdb3a6}]
AutoRun\command- wscript.exe VirusRemoval.vbs
open\Command- wscript.exe VirusRemoval.vbs




-- End of Deckard's System Scanner: finished at 2008-04-16 10:29:44 ------------


Looking forward to your reply.

Mitesh

[BHowett]

Hi mithpat,


Looking over your log, it seems you don't have any evidence of an Anti-Virus software. Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer. An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are:

• AVG
• Avast
• AntiVir

It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

===============================================


Download Firewall

I don't see any firewall in your HijackThis log, so I assume you use windows firewall.

It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are:

• ZoneAlarm
• Kerio
• Sygate

Tutorial about Firewalls can be found here

===============================================


Kaspersky WebScanner
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

===============================================



Needed in you next reply:

Kaspersky WebScanner results

New HijackThis log

[mithpat]

hi

as per you asked following is the scan result for kaspersky web scanner


==============================================================================

KASPERSKY ONLINE SCANNER REPORT
Friday, April 18, 2008 8:41:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/04/2008
Kaspersky Anti-Virus database records: 712079
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 195602
Number of viruses found 16
Number of infected objects 44
Number of suspicious objects 1
Duration of the scan process 08:14:07

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008041720080418\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_38c.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Program Files\Messenger\logs\billing_Bullet Mehta.log Object is locked skipped
D:\Program Files\Messenger\logs\client_Bullet Mehta.log Object is locked skipped
D:\Program Files\Messenger\logs\network_Bullet Mehta.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\change.log Object is locked skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/05 Aug 2005 12:53 to [email protected]:Your PayPal Billing I.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/13 Jun 2006 07:38 from Mitesh Patel:Fwd: keylogger/19 Apr 2006 10:17 to Deepak Jain; [email protected]:Fwd: ke/17 Mar 2005 16:38 from Mitesh Patel:keylogger/i_bpk2003.zip/i_bpk2003.exe/bpk.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/13 Jun 2006 07:38 from Mitesh Patel:Fwd: keylogger/19 Apr 2006 10:17 to Deepak Jain; [email protected]:Fwd: ke/17 Mar 2005 16:38 from Mitesh Patel:keylogger/i_bpk2003.zip/i_bpk2003.exe/bpkun.exe Infected: not-a-virus:Monitor.Win32.Perflogger.an skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/13 Jun 2006 07:38 from Mitesh Patel:Fwd: keylogger/19 Apr 2006 10:17 to Deepak Jain; [email protected]:Fwd: ke/17 Mar 2005 16:38 from Mitesh Patel:keylogger/i_bpk2003.zip/i_bpk2003.exe/bpkvw.exe Infected: not-a-virus:Monitor.Win32.Perflogger.aq skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/13 Jun 2006 07:38 from Mitesh Patel:Fwd: keylogger/19 Apr 2006 10:17 to Deepak Jain; [email protected]:Fwd: ke/17 Mar 2005 16:38 from Mitesh Patel:keylogger/i_bpk2003.zip/i_bpk2003.exe/Setup.exe Infected: not-a-virus:Monitor.Win32.Perflogger.af skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/13 Jun 2006 07:38 from Mitesh Patel:Fwd: keylogger/19 Apr 2006 10:17 to Deepak Jain; [email protected]:Fwd: ke/17 Mar 2005 16:38 from Mitesh Patel:keylogger/i_bpk2003.zip/i_bpk2003.exe/bpkhk.dll Infected: not-a-virus:Monitor.Win32.Perflogger.al skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/13 Jun 2006 07:38 from Mitesh Patel:Fwd: keylogger/19 Apr 2006 10:17 to Deepak Jain; [email protected]:Fwd: ke/17 Mar 2005 16:38 from Mitesh Patel:keylogger/i_bpk2003.zip/i_bpk2003.exe/bpkwb.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ab skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/13 Jun 2006 07:38 from Mitesh Patel:Fwd: keylogger/19 Apr 2006 10:17 to Deepak Jain; [email protected]:Fwd: ke/17 Mar 2005 16:38 from Mitesh Patel:keylogger/i_bpk2003.zip/i_bpk2003.exe/bpkr.exe Infected: not-a-virus:Monitor.Win32.Perflogger.cb skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/13 Jun 2006 07:38 from Mitesh Patel:Fwd: keylogger/19 Apr 2006 10:17 to Deepak Jain; [email protected]:Fwd: ke/17 Mar 2005 16:38 from Mitesh Patel:keylogger/i_bpk2003.zip/i_bpk2003.exe Infected: not-a-virus:Monitor.Win32.Perflogger.cb skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/13 Jun 2006 07:38 from Mitesh Patel:Fwd: keylogger/19 Apr 2006 10:17 to Deepak Jain; [email protected]:Fwd: ke/17 Mar 2005 16:38 from Mitesh Patel:keylogger/i_bpk2003.zip Infected: not-a-virus:Monitor.Win32.Perflogger.cb skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/14 Feb 2006 04:10 to [email protected]:failure notice.eml/[From [email protected]][Date Tue, 14 Feb 2006 09:42:25 +0530]/UNNAMED/Part-2.zip/Part-2.txt .exe Infected: Email-Worm.Win32.NetSky.aa skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/14 Feb 2006 04:10 to [email protected]:failure notice.eml/[From [email protected]][Date Tue, 14 Feb 2006 09:42:25 +0530]/UNNAMED/Part-2.zip Infected: Email-Worm.Win32.NetSky.aa skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/14 Feb 2006 04:10 to [email protected]:failure notice.eml/[From [email protected]][Date Tue, 14 Feb 2006 09:42:25 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.aa skipped
E:\Personal\Outlook.pst/outlook/Inbox/[email protected]/14 Feb 2006 04:10 to [email protected]:failure notice.eml Infected: Email-Worm.Win32.NetSky.aa skipped
E:\Personal\Outlook.pst Mail MS Mail: infected - 13, suspicious - 1 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027659.exe/data0000.cab/Server.exe Infected: Trojan-PSW.Win32.Agent.tr skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027659.exe/data0000.cab Infected: Trojan-PSW.Win32.Agent.tr skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027659.exe Rsrc-Package: infected - 2 skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027660.exe/data0020/data0004 Infected: not-a-virus:AdWare.Win32.Sidesearch.b skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027660.exe/data0020 Infected: not-a-virus:AdWare.Win32.Sidesearch.b skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027660.exe/data0022/data0002 Infected: not-a-virus:AdWare.Win32.Connector skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027660.exe/data0022 Infected: not-a-virus:AdWare.Win32.Connector skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027660.exe/data0024 Infected: not-a-virus:AdWare.Win32.EZula skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027660.exe/data0025 Infected: Trojan-Spy.Win32.Briss.j skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027660.exe Inno: infected - 6 skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027661.exe/data0020/data0004 Infected: not-a-virus:AdWare.Win32.Sidesearch.b skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027661.exe/data0020 Infected: not-a-virus:AdWare.Win32.Sidesearch.b skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027661.exe/data0022/data0002 Infected: not-a-virus:AdWare.Win32.Connector skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027661.exe/data0022 Infected: not-a-virus:AdWare.Win32.Connector skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027661.exe/data0024 Infected: not-a-virus:AdWare.Win32.EZula skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027661.exe/data0025 Infected: Trojan-Spy.Win32.Briss.j skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027661.exe Inno: infected - 6 skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe/data0004/Cabs.w1.cab/HyperbarSS1.dll Infected: not-a-virus:AdWare.Win32.HyperBar skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe/data0004/Cabs.w1.cab/HyperbarSS2.dll Infected: not-a-virus:AdWare.Win32.HyperBar skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe/data0004/Cabs.w1.cab/HyperbarSS3.dll Infected: not-a-virus:AdWare.Win32.HyperBar skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe/data0004/Cabs.w1.cab/Hyperbar.dll Infected: not-a-virus:AdWare.Win32.HyperBar skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe/data0004/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.HyperBar skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe/data0004 Infected: not-a-virus:AdWare.Win32.HyperBar skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe/data0005/Cabs.w1.cab/HyperbarSS3.dll Infected: not-a-virus:AdWare.Win32.HyperBar skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe/data0005/Cabs.w1.cab/Hyperbar.dll Infected: not-a-virus:AdWare.Win32.HyperBar skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe/data0005/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.HyperBar skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe/data0005 Infected: not-a-virus:AdWare.Win32.HyperBar skipped
E:\System Volume Information\_restore{C6D41161-6EE1-4C44-8919-4707A4985AE8}\RP99\A0027662.exe NSIS: infected - 10 skipped
E:\Tools\astlog.zip/astlog.exe Infected: not-a-virus:PSWTool.Win32.Asterisk.a skipped
E:\Tools\astlog.zip ZIP: infected - 1 skipped
Scan process completed.

================================================================================


and hijack this log


========================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:27 AM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pandion\Pandion.exe
D:\Program Files\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\logon.scr
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O17 - HKLM\Software\..\Telephony: DomainName = domain.wiantech.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFC63297-5C08-4882-96E8-4DEC98786D44}: NameServer = 59.144.127.16,202.254.1.18,59.144.127.17,203.197.12.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O23 - Service: AdminMagic Service ((44185,1114)) (AdminMagic) - Unknown owner - C:\Program Files\AdminMagic Service\RepSvc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 2956 bytes
===============================================================


await your reply.

thanks

Mitesh

[BHowett]

Most of what was found was in your system restore points, but don’t worry we will clean them out.

The following were showing in the KASPERSKY ONLINE SCANNER REPORT. However they may be legit. If you use them and trust them you can keep them. If not simply delete the emails,then navigate to E:\Tools\astlog.zip and delete that folder.

E:\Tools\astlog.zip/astlog.exe --> PSWTool.Win32.Asterisk.a

===== Email =====

E:\Personal\Outlook.pst
/outlook/Inbox/[email protected]/05 Aug 2005 12:53 to [email protected]:Your PayPal Billing I.html
/outlook/Inbox/[email protected]/13 Jun 2006 07:38 from Mitesh Patel:Fwd: keylogger
/outlook/Inbox/[email protected]/14 Feb 2006 04:10 to [email protected]:failure notice.eml


===============================================


Reset your restore points

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

===============================================


Please let me know how your system is running. And if you have any problems.

[BHowett]

This is my standard post for when you are clear - which you now are - or seem to be. Please advise me of any questions or problems you still have.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1.) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

2.) Go to Intenet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed. If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

3.) Open Intenet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

4.) Install Javacool's SpywareBlaster

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer) Press "Enable All Protection", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

6.) Microsoft now offers their own free malicious software blocking tool. Windows Defender improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC.

7.) Another excellent program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerio and Sygate

10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.
NOTE: DO NOT install more than one anti-virus program. They will conflict, and provide less protection, not more.

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


Follow this list and your potential for being infected again will reduce dramatically.


Thanks for letting us help you!

[BHowett]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.