Please suggest me how to make the bad entries to get permanently removed from my machine. Here is the log created by combofix tool:
ComboFix 08-05-01.1 - npa 2008-05-02 11:18:31.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.305 [GMT 5.5:30]
Running from: C:\Documents and Settings\npa\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.
2008-05-01 10:20 . 2008-05-01 10:20 <DIR> d-------- C:\Documents and Settings\Npa_2\Application Data\AIMPro
2008-05-01 10:20 . 2008-05-01 10:20 <DIR> d-------- C:\Documents and Settings\Npa_2\Application Data\acccore
2008-04-29 09:58 . 2008-05-02 11:17 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-28 12:37 . 2008-04-28 12:37 <DIR> d-------- C:\WINDOWS\Sun
2008-04-28 11:53 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-28 11:31 . 2008-04-28 11:31 <DIR> d-------- C:\Program Files\Java
2008-04-28 11:26 . 2008-04-28 11:26 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-26 12:54 . 2008-04-26 12:54 <DIR> d--hs---- C:\CONFIG
2008-04-22 12:01 . 2008-04-22 12:01 <DIR> d-------- C:\Documents and Settings\Npa_2\Application Data\StumbleUpon
2008-04-17 10:50 . 2008-04-17 10:50 <DIR> d-------- C:\Program Files\StumbleUpon
2008-04-17 10:50 . 2008-04-17 10:50 <DIR> d-------- C:\Documents and Settings\npa\Application Data\StumbleUpon
2008-04-17 09:29 . 2008-04-17 09:29 <DIR> d-------- C:\TTAdvance
2008-04-15 10:31 . 2008-04-15 10:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 07:33 --------- d-----w C:\Documents and Settings\npa\Application Data\progeSOFT
.
((((((((((((((((((((((((((((( snapshot@2008-04-29_10.03.46.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 04:31:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 03:25:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-29 04:32:12 256,311 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-02 03:26:26 256,319 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-02 03:26:12 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_488.dat
+ 2008-05-02 03:26:44 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_994.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
C:\Documents and Settings\npa\Start Menu\Programs\Startup\
˙.lnk - C:\CONFIG\svchost.exe [2008-04-26 12:54:09 215523]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"installed"= present2
"winlogon"= C:\CONFIG\svchost.exe
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^npa^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\npa\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 14:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-03-11 03:11 114688 C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-02 13:34 896768 C:\Program Files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-03-11 03:24 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RapidCheck]
C:\Program Files\RapidCheck\RapidCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-11-08 11:12 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-17 17:23 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"ose"=3 (0x3)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"ReportServer"=2 (0x2)
"MSSQLServerOLAPService"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"BITS"=3 (0x3)
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"mnmsrvc"=3 (0x3)
"IDriverT"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\MicroSoftOffice\\OFFICE11\\WINWORD.EXE"=
"C:\\Program Files\\MicroSoftOffice\\OFFICE11\\POWERPNT.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R2 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 03:45]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-23 11:20]
S3 SE31bus;Sony Ericsson Device 049 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE31bus.sys [2006-11-10 09:45]
S3 SE31mdfl;Sony Ericsson Device 049 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE31mdfl.sys [2006-11-10 09:45]
S3 SE31mdm;Sony Ericsson Device 049 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE31mdm.sys [2006-11-10 09:45]
S3 SE31mgmt;Sony Ericsson Device 049 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE31mgmt.sys [2006-11-10 09:45]
S3 se31nd5;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (NDIS);C:\WINDOWS\system32\DRIVERS\se31nd5.sys [2006-11-10 09:46]
S3 SE31obex;Sony Ericsson Device 049 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE31obex.sys [2006-11-10 09:46]
S3 se31unic;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (WDM);C:\WINDOWS\system32\DRIVERS\se31unic.sys [2006-11-10 09:46]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2005-10-14 03:44]
S4 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{114f9b95-fa24-11dc-a817-000e7ff35cda}]
\Shell\AutoRun\command - G:\Netlog.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cb29f24-efe8-11dc-a80c-000e7ff35cda}]
\Shell\AutoRun\command - G:\x6.bat
\Shell\explore\Command - G:\x6.bat
\Shell\open\Command - G:\x6.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48f26ac4-088c-11dc-a72c-000e7ff35cda}]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64888b2c-787d-11dc-a7a4-000e7ff35cda}]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8e089c8-eb3c-11dc-a805-000e7ff35cda}]
\Shell\AutoRun\command - G:\nudeiect.com
\Shell\explore\Command - G:\nudeiect.com
\Shell\open\Command - G:\nudeiect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc394530-7d39-11dc-a7a5-000e7ff35cda}]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc394531-7d39-11dc-a7a5-000e7ff35cda}]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{beb9da62-6804-11dc-a796-000e7ff35cda}]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-26 07:36:26 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-04-08 07:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-02 03:26:42 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 11:20:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
C:\WINDOWS\Explorer.EXE [1780] 0x81EF0510
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
Completion time: 2008-05-02 11:20:30
ComboFix-quarantined-files.txt 2008-05-02 05:50:28
ComboFix2.txt 2008-04-29 04:34:10
Pre-Run: 12,640,026,624 bytes free
Post-Run: 12,768,460,800 bytes free
187
Sign In
Create Account
