Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

WSNPOEM_V2 Malware [Solved]

Started by jaswantpurba , Aug 20 2008 04:24 AM

This topic is locked

#1
jaswantpurba

Posted 20 August 2008 - 04:24 AM

Member

Member
15 posts

Hi Folks

My system has been infected by new malware named WSNPOEM_V2 . I did not find anything on internet and on anti virus sites. I hope it is new one.

can someone guide me how can I manage it

i found only a few German pages contain some info about it

here is info provided by one server which i used to login. from this info i got informed that there is a security threat in my PC

Source: 172433
Malware: wsnpoem_v2
Original-SHA1: f55fe04e489efac41605509de60c429b599205d0
Download-Date: 2008-06-11T19:36:44
Client-Side-ID: jxxxxa1_01f5c6e5
Client-Side-Date: 2008-06-11T15:26:13
Data: 442

thanks in advance for your support

jaswant

#2
kahdah

Posted 20 August 2008 - 05:15 AM

GeekU Teacher

Retired Staff
15,822 posts

Hello jaswantpurba

Welcome to G2Go.

=====================
Posted Image

Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

#3
jaswantpurba

Posted 21 August 2008 - 03:00 AM

Member

Topic Starter
Member
15 posts

Hi

Here is the hijack log as require. Please note that I am almost not able to open any site through my DSL connection and using some wireless internet for posting this log.

2nd big concern I tried to run ATF cleaner from following thread, but application gone stuck and not responding. I tried it 3 times but same response.

http://www.geekstogo...-Log-t2852.html

Latest I have run Malwarebytes' Anti-Malware and log file for the same is also pasted as 2nd log quick scan and 3rd log as full scan report log . Please guide me further

Best Regards
Jaswant

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:18 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\sygate\ssa\syg_hp.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Remote tools\msraLinkMonitor.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\singhpur\Local Settings\Temporary Internet Files\Content.IE5\3MYYRBK4\ATF_Cleaner[1].exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.portal.hp.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autocache.hp.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.37.0\HostIE.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.37.0\HostIE.dll (file missing)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvic.exe] C:\WINDOWS\system32\kdvic.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra button: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra 'Tools' menuitem: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {00000021-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms21 Class) - https://www.rooms.hp...VCInstall21.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www4.snapfish...tlookImport.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish...fishActivia.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://g4t0070.hous...om/hp/HPPKI.cab
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://digitalbadge.../hp/capicom.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asiapacific.cpqcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = asiapacific.hpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asiapacific.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ASIAPACIFIC.cpqcorp.net,ASIAPACIFIC.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ASIAPACIFIC.cpqcorp.net,ASIAPACIFIC.hpqcorp.net,hpqcorp.net,cpqcorp.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: HP Sygate Icon Control (HPSygControl) - Hewlett-Packard Company - C:\PROGRA~1\sygate\ssa\syg_hp.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/singhpur/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 11029 bytes

------------------------------------------------------------
Malwarebytes' Anti-Malware 1.25
Database version: 1075
Windows 5.1.2600 Service Pack 2

11:25:49 AM 8/21/2008
mbam-log-08-21-2008 (11-25-49).txt

Scan type: Quick Scan
Objects scanned: 46759
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 14
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc5v9j0e793 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc5v9j0e793 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\zango 10.3.37.0 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\backupwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdvic.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Application Data\rhc5v9j0e793\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kdvic.exe (Rootkit.DNSChanger.H) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\0A1663EB.uf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.

3rd log
Malwarebytes' Anti-Malware 1.25
Database version: 1075
Windows 5.1.2600 Service Pack 2

11:58:28 AM 8/21/2008
mbam-log-08-21-2008 (11-58-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 88625
Time elapsed: 27 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by jaswantpurba, 21 August 2008 - 04:08 AM.

#4
kahdah

Posted 21 August 2008 - 04:10 AM

GeekU Teacher

Retired Staff
15,822 posts

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

==================================

Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

(Note:If the Recovery Console fails to install then do not proceed rather alert me and post back here we will continue)

#5
jaswantpurba

Posted 21 August 2008 - 06:35 AM

Member

Topic Starter
Member
15 posts

Hi

Before i post the results of COMBIFIX i want to draw your attantion to my stange host file.

Please go through and let me know next plan of action

regards
Jaswant
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 208.67.70.3
127.0.0.1 38.99.150.167
127.0.0.1 38.99.150.205
127.0.0.1 88.255.90.60
127.0.0.1 opal.spod.org
127.0.0.1 sendspace.com
127.0.0.1 ad1.ny.yieldmanager.com
127.0.0.1 ad2.ny.yieldmanager.com
127.0.0.1 ny.yieldmanager.com
127.0.0.1 yieldmanager.com
127.0.0.1 193.165.167.2
127.0.0.1 152.66.249.135

Here are the log created by COMBIFIX

ComboFix 08-08-19.06 - singhpur 2008-08-21 13:51:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1425 [GMT 2:00]
Running from: C:\Documents and Settings\singhpur\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\singhpur\Application Data\macromedia\Flash Player\#SharedObjects\XXVFSZCX\interclick.com
C:\Documents and Settings\singhpur\Application Data\macromedia\Flash Player\#SharedObjects\XXVFSZCX\interclick.com\ud.sol
C:\Documents and Settings\singhpur\Application Data\macromedia\Flash Player\#SharedObjects\XXVFSZCX\static.youku.com
C:\Documents and Settings\singhpur\Application Data\macromedia\Flash Player\#SharedObjects\XXVFSZCX\static.youku.com\v1.0.0262\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\singhpur\Application Data\macromedia\Flash Player\#SharedObjects\XXVFSZCX\static.youku.com\v1.0.0270\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\singhpur\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\singhpur\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\singhpur\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\singhpur\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\WINDOWS\system32\userini.exe
C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-21 11:20 . 2008-08-21 11:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-21 11:20 . 2008-08-21 11:20 <DIR> d-------- C:\Documents and Settings\singhpur\Application Data\Malwarebytes
2008-08-21 11:20 . 2008-08-21 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-21 11:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-21 11:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-21 11:19 . 2008-08-21 11:19 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-21 11:15 . 2008-08-21 11:15 <DIR> d-------- C:\Program Files\ERUNT
2008-08-20 18:48 . 2008-08-20 18:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 14:08 . 2008-08-11 14:08 172 --a------ C:\WINDOWS\el.ini
2008-08-03 13:47 . 2008-08-03 13:48 <DIR> d-------- C:\Program Files\HP
2008-08-03 13:47 . 2008-08-03 13:47 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-03 13:47 . 2008-08-03 13:48 107,440 --a------ C:\WINDOWS\hpqins13.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 11:52 --------- d-----w C:\Program Files\symantec antivirus
2008-08-21 11:40 --------- d-----w C:\Documents and Settings\singhpur\Application Data\Skype
2008-08-21 09:11 --------- d-----w C:\Documents and Settings\singhpur\Application Data\BitTorrent
2008-08-20 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-08-12 17:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-03 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-28 11:30 --------- d-----w C:\Documents and Settings\singhpur\Application Data\dvdcss
2008-06-25 18:24 --------- d-----w C:\Program Files\Common Files\Real
2007-04-02 10:46 13,248 ----a-w C:\WINDOWS\system32\config\systemprofile\createprof.vbs
2007-04-02 10:46 13,248 ----a-w C:\Documents and Settings\hpadmin\createprof.vbs
2007-04-02 10:46 13,248 ----a-w C:\Documents and Settings\Default User\createprof.vbs
2007-02-23 14:43 851 ----a-w C:\WINDOWS\system32\config\systemprofile\enablecoe.vbs
2007-02-23 14:43 851 ----a-w C:\Documents and Settings\hpadmin\enablecoe.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 10:01 22880040]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=NOITSCAN.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-879983540-725345543-753218\Scripts\Logon\0\0]
"Script"=NOITSCAN.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accelerometersystrayapplet]
--a------ 2007-01-24 10:58 124928 C:\WINDOWS\system32\accelerometerST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp]
--a------ 2006-03-07 20:02 53408 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\coemsgdisplay]
--a------ 2007-04-11 18:14 26624 C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\getit]
--a------ 2007-12-04 02:12 286720 C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 23:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotkeyscmds]
--a------ 2007-02-26 12:34 155648 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqsrmon]
--a------ 2008-03-13 09:34 81920 C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpwirelessassistant]
--a------ 2007-01-10 11:43 472776 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ida]
--a------ 2008-01-03 20:24 176128 C:\Program Files\Hewlett-Packard\PC COE\Ida.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2007-02-26 12:34 131072 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig7.0]
--a------ 2003-07-15 06:57 19520 C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig8.1]
--a------ 2004-08-03 23:32 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig9.0]
--a------ 2004-02-17 23:51 33992 C:\Program Files\Common Files\Microsoft Shared\IME\IMJP9\IMJPRMZB.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mspy2002]
--a------ 2004-08-03 23:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\persistence]
--a------ 2007-02-26 12:33 131072 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002a]
--a------ 2004-08-03 23:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002async]
--a------ 2004-08-03 23:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlbctrl]
--a------ 2007-03-05 12:24 159744 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quickpassword]
--a------ 2007-06-27 00:06 225280 C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smcservice]
--a------ 2005-08-05 19:22 2582240 C:\PROGRA~1\sygate\ssa\Smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soundmaxpnp]
--a------ 2007-01-05 18:36 872448 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-06-19 19:38 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syntpenh]
--a------ 2007-01-12 15:36 827392 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2006-05-27 03:01 124656 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\watchdog]
--a------ 2006-09-05 15:32 184320 C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"C:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"=
"C:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadTray.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 aksbus;ActivIdentity Virtual Reader Enumerator;C:\WINDOWS\system32\DRIVERS\aksbus.sys [2007-04-06 08:16]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;C:\WINDOWS\system32\DRIVERS\akspcsc.sys [2007-06-27 00:06]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-09-19 18:58]
S3 actccid;ActivCard USB Reader V2;C:\WINDOWS\system32\DRIVERS\actccid.sys [2007-06-27 00:06]
S3 AKSIM;ActivKey Sim;C:\WINDOWS\system32\drivers\aksim.sys [2007-06-27 00:06]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8E9DB7EF-5DD3-499E-BA2A-A1F3153A4DF8}]
msiexec.exe /fomus {8E9DB7EF-5DD3-499E-BA2A-A1F3153A4DF8} /qb!
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-C:\WINDOWS\system32\kdvic.exe - C:\WINDOWS\system32\kdvic.exe
MSConfigStartUp-kdvic - C:\WINDOWS\system32\kdvic.exe
MSConfigStartUp-lphc1v9j0e793 - C:\WINDOWS\system32\lphc1v9j0e793.exe
MSConfigStartUp-rundelayie - C:\DOCUME~1\singhpur\LOCALS~1\Temp\www\ie\5\patches\RunDelay.exe
MSConfigStartUp-smrhc5v9j0e793 - C:\Program Files\rhc5v9j0e793\rhc5v9j0e793.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = hxxp://athp.hp.com
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
O9 -: {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 13:54:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\WINDOWS\\system32\\kdvic.exe"="C:\\WINDOWS\\system32\\kdvic.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-08-21 14:07:38
ComboFix-quarantined-files.txt 2008-08-21 12:06:33

Pre-Run: 40,336,097,280 bytes free
Post-Run: 40,370,458,624 bytes free

216

#6
kahdah

Posted 21 August 2008 - 09:26 AM

GeekU Teacher

Retired Staff
15,822 posts

Download the HostsXpert 4.2 - Hosts File Manager.

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

================
1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\\WINDOWS\\system32\\kdvic.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\WINDOWS\\system32\\kdvic.exe"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#7
jaswantpurba

Posted 22 August 2008 - 10:19 AM

Member

Topic Starter
Member
15 posts

Hi
Here is the CFScript results and Hijackthis log results respectively
please suggest next plan of action

best regards
Jaswant

ComboFix 08-08-21.02 - singhpur 2008-08-22 18:04:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1523 [GMT 2:00]
Running from: C:\Documents and Settings\singhpur\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\singhpur\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\\WINDOWS\\system32\\kdvic.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.

2008-08-21 20:26 . 2008-08-21 20:26 59 --a------ C:\WINDOWS\ANS2000.INI
2008-08-21 20:26 . 2008-08-21 20:26 20 --ah----- C:\WINDOWS\akebook.ini
2008-08-21 20:26 . 2008-08-21 20:26 4 --ah----- C:\WINDOWS\a3kebook.ini
2008-08-21 11:20 . 2008-08-21 11:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-21 11:20 . 2008-08-21 11:20 <DIR> d-------- C:\Documents and Settings\singhpur\Application Data\Malwarebytes
2008-08-21 11:20 . 2008-08-21 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-21 11:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-21 11:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-21 11:19 . 2008-08-21 11:19 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-21 11:15 . 2008-08-21 11:15 <DIR> d-------- C:\Program Files\ERUNT
2008-08-20 18:48 . 2008-08-20 18:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 14:08 . 2008-08-11 14:08 172 --a------ C:\WINDOWS\el.ini
2008-08-03 13:47 . 2008-08-03 13:48 <DIR> d-------- C:\Program Files\HP
2008-08-03 13:47 . 2008-08-03 13:47 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-03 13:47 . 2008-08-03 13:48 107,440 --a------ C:\WINDOWS\hpqins13.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-22 16:01 --------- d-----w C:\Documents and Settings\singhpur\Application Data\Skype
2008-08-22 15:39 --------- d-----w C:\Documents and Settings\singhpur\Application Data\BitTorrent
2008-08-22 14:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-21 12:16 --------- d-----w C:\Program Files\symantec antivirus
2008-08-20 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-08-03 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-28 11:30 --------- d-----w C:\Documents and Settings\singhpur\Application Data\dvdcss
2008-06-25 18:24 --------- d-----w C:\Program Files\Common Files\Real
2007-04-02 10:46 13,248 ----a-w C:\WINDOWS\system32\config\systemprofile\createprof.vbs
2007-04-02 10:46 13,248 ----a-w C:\Documents and Settings\hpadmin\createprof.vbs
2007-04-02 10:46 13,248 ----a-w C:\Documents and Settings\Default User\createprof.vbs
2007-02-23 14:43 851 ----a-w C:\WINDOWS\system32\config\systemprofile\enablecoe.vbs
2007-02-23 14:43 851 ----a-w C:\Documents and Settings\hpadmin\enablecoe.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-08-21_13.59.09.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-01-26 16:19:17 25,214 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\ARPPRODUCTICON.exe
+ 2008-08-21 12:21:41 25,214 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\ARPPRODUCTICON.exe
- 2007-01-26 16:19:17 40,960 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-08-21 12:21:41 40,960 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2007-01-26 16:19:17 40,960 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-08-21 12:21:41 40,960 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-08-21 09:32:38 63,590 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-22 15:55:47 63,590 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 09:32:38 404,536 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-22 15:55:47 404,536 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=NOITSCAN.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-879983540-725345543-753218\Scripts\Logon\0\0]
"Script"=NOITSCAN.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accelerometersystrayapplet]
--a------ 2007-01-24 10:58 124928 C:\WINDOWS\system32\accelerometerST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp]
--a------ 2006-03-07 20:02 53408 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\coemsgdisplay]
--a------ 2007-04-11 18:14 26624 C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\getit]
--a------ 2007-12-04 02:12 286720 C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 23:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotkeyscmds]
--a------ 2007-02-26 12:34 155648 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqsrmon]
--a------ 2008-03-13 09:34 81920 C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpwirelessassistant]
--a------ 2007-01-10 11:43 472776 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ida]
--a------ 2008-01-03 20:24 176128 C:\Program Files\Hewlett-Packard\PC COE\Ida.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2007-02-26 12:34 131072 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig7.0]
--a------ 2003-07-15 06:57 19520 C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig8.1]
--a------ 2004-08-03 23:32 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig9.0]
--a------ 2004-02-17 23:51 33992 C:\Program Files\Common Files\Microsoft Shared\IME\IMJP9\IMJPRMZB.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mspy2002]
--a------ 2004-08-03 23:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\persistence]
--a------ 2007-02-26 12:33 131072 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002a]
--a------ 2004-08-03 23:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002async]
--a------ 2004-08-03 23:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlbctrl]
--a------ 2007-03-05 12:24 159744 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quickpassword]
--a------ 2007-06-27 00:06 225280 C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smcservice]
--a------ 2005-08-05 19:22 2582240 C:\PROGRA~1\sygate\ssa\Smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soundmaxpnp]
--a------ 2007-01-05 18:36 872448 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-06-19 19:38 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syntpenh]
--a------ 2007-01-12 15:36 827392 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2006-05-27 03:01 124656 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\watchdog]
--a------ 2006-09-05 15:32 184320 C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"C:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"=
"C:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadTray.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 acautoreg;ActivCard Gold Autoregister;C:\Program Files\Common Files\ActivCard\acautoreg.exe [2007-06-27 00:06]
R2 Accoca;ActivCard Gold service;C:\Program Files\Common Files\ActivCard\accoca.exe [2007-06-27 00:06]
R2 HPSygControl;HP Sygate Icon Control;C:\PROGRA~1\sygate\ssa\syg_hp.exe [2006-01-25 23:25]
R2 msralinkmonitor;MSRA Link Monitor;C:\Program Files\Remote tools\msraLinkMonitor.exe [2007-11-29 07:39]
R2 radexecd;HP OVCM Notify Daemon;C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2007-02-20 10:29]
R2 radsched;HP OVCM Scheduler Daemon;C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [2007-03-22 13:49]
R2 Radstgms;HP OVCM MSI Redirector;C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [2007-03-20 08:33]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;C:\WINDOWS\system32\DRIVERS\aksbus.sys [2007-04-06 08:16]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;C:\WINDOWS\system32\DRIVERS\akspcsc.sys [2007-06-27 00:06]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-09-19 18:58]
R3 RadiaMsi;RadiaMsi;C:\WINDOWS\system32\DRIVERS\radiamsi.sys [2007-08-03 10:31]
S1 a701effd;a701effd;C:\WINDOWS\system32\drivers\a701effd.sys []
S3 actccid;ActivCard USB Reader V2;C:\WINDOWS\system32\DRIVERS\actccid.sys [2007-06-27 00:06]
S3 AKSIM;ActivKey Sim;C:\WINDOWS\system32\drivers\aksim.sys [2007-06-27 00:06]
S3 magaService;Lan Discover Agent;C:\Program Files\Sygate\SSA\maga\maga.exe [2005-08-05 19:18]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8E9DB7EF-5DD3-499E-BA2A-A1F3153A4DF8}]
msiexec.exe /fomus {8E9DB7EF-5DD3-499E-BA2A-A1F3153A4DF8} /qb!
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 18:05:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-08-22 18:05:52
ComboFix-quarantined-files.txt 2008-08-22 16:05:49
ComboFix2.txt 2008-08-22 15:55:29
ComboFix3.txt 2008-08-21 12:07:52

Pre-Run: 40,198,725,632 bytes free
Post-Run: 40,188,624,896 bytes free

212

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:22, on 2008-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\sygate\ssa\syg_hp.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Remote tools\msraLinkMonitor.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra button: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra 'Tools' menuitem: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://www.geekstogo.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {00000021-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms21 Class) - https://www.rooms.hp...VCInstall21.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www4.snapfish...tlookImport.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish...fishActivia.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://g4t0070.hous...om/hp/HPPKI.cab
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://digitalbadge.../hp/capicom.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asiapacific.cpqcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = asiapacific.hpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asiapacific.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ASIAPACIFIC.cpqcorp.net,ASIAPACIFIC.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ASIAPACIFIC.cpqcorp.net,ASIAPACIFIC.hpqcorp.net,hpqcorp.net,cpqcorp.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: HP Sygate Icon Control (HPSygControl) - Hewlett-Packard Company - C:\PROGRA~1\sygate\ssa\syg_hp.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/singhpur/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 9027 bytes

Edited by jaswantpurba, 22 August 2008 - 10:24 AM.

#8
kahdah

Posted 22 August 2008 - 10:27 AM

GeekU Teacher

Retired Staff
15,822 posts

Please submit the following file to one of these online file scanners.
(All you have to do is copy and paste it in)

C:\WINDOWS\el.ini

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

#9
jaswantpurba

Posted 23 August 2008 - 02:27 AM

Member

Topic Starter
Member
15 posts

Hi

Here are the results of online scan of c:\windows\el.ini done on http://virusscan.jotti.org/

please suggest

regards
Jaswant
--------------------------------

Last file scanned at least one scanner reported something about: ventspam.rar (MD5: 10ba1ebb376eb0a9cc249727f7651ff8, size: 23656 bytes), detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast Win32:Trojan-gen {Other}
AVG Antivirus X
BitDefender Application.BruteForcer.A
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Exploit.Win32.Aluigi.hj
Fortinet X
Ikarus Exploit.Win32.Aluigi.hj
Kaspersky Anti-Virus Exploit.Win32.Aluigi.hj
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 Exploit.Win32.Aluigi.hj

Scan taken on 23 Aug 2008 08:03:54 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

#10
kahdah

Posted 23 August 2008 - 05:27 AM

GeekU Teacher

Retired Staff
15,822 posts

Open notepad and copy/paste the text in the codebox below into it:

http://www.geekstogo.com/forum/WSNPOEM-V2-...44#entry1313444

Collect::
C:\WINDOWS\ANS2000.INI
C:\WINDOWS\akebook.ini
C:\WINDOWS\a3kebook.ini
C:\WINDOWS\system32\drivers\a701effd.sys 
Driver::
a701effd

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

============
Post the Combofix log after that and let me know how things are running?

#11
jaswantpurba

Posted 23 August 2008 - 03:22 PM

Member

Topic Starter
Member
15 posts

Hi Teacher

I has submitted the required files(zip) to the required website and pasting log results for combifix for the above post.

Please note that following two important events.

1. Symantic Antivirus on my PC is not working at all

2. Sometime my PC did not respond to any of the website including geekstogo.com and I have to run malware file again and again so that I can access internet and after cleaning infected stuff again come to my PC

regards
Jaswant

----------------
ComboFix 08-08-21.02 - singhpur 2008-08-23 23:04:52.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1600 [GMT 2:00]
Running from: C:\Documents and Settings\singhpur\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\singhpur\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\a3kebook.ini
C:\WINDOWS\akebook.ini
C:\WINDOWS\ANS2000.INI

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_a701effd

((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-21 11:20 . 2008-08-21 11:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-21 11:20 . 2008-08-21 11:20 <DIR> d-------- C:\Documents and Settings\singhpur\Application Data\Malwarebytes
2008-08-21 11:20 . 2008-08-21 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-21 11:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-21 11:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-21 11:19 . 2008-08-21 11:19 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-21 11:15 . 2008-08-21 11:15 <DIR> d-------- C:\Program Files\ERUNT
2008-08-20 18:48 . 2008-08-20 18:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 14:08 . 2008-08-11 14:08 172 --a------ C:\WINDOWS\el.ini
2008-08-03 13:47 . 2008-08-03 13:48 <DIR> d-------- C:\Program Files\HP
2008-08-03 13:47 . 2008-08-03 13:47 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-03 13:47 . 2008-08-03 13:48 107,440 --a------ C:\WINDOWS\hpqins13.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 21:04 --------- d-----w C:\Documents and Settings\singhpur\Application Data\BitTorrent
2008-08-23 15:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-23 12:20 --------- d-----w C:\Program Files\symantec antivirus
2008-08-23 12:20 --------- d-----w C:\Program Files\Symantec
2008-08-23 12:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-23 12:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-22 16:17 --------- d-----w C:\Documents and Settings\singhpur\Application Data\Skype
2008-08-20 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-08-03 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-28 11:30 --------- d-----w C:\Documents and Settings\singhpur\Application Data\dvdcss
2008-06-25 18:24 --------- d-----w C:\Program Files\Common Files\Real
2007-04-02 10:46 13,248 ----a-w C:\WINDOWS\system32\config\systemprofile\createprof.vbs
2007-04-02 10:46 13,248 ----a-w C:\Documents and Settings\hpadmin\createprof.vbs
2007-04-02 10:46 13,248 ----a-w C:\Documents and Settings\Default User\createprof.vbs
2007-02-23 14:43 851 ----a-w C:\WINDOWS\system32\config\systemprofile\enablecoe.vbs
2007-02-23 14:43 851 ----a-w C:\Documents and Settings\hpadmin\enablecoe.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-08-21_13.59.09.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-01-26 16:19:17 40,960 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-08-23 08:32:31 40,960 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-08-21 09:32:38 63,590 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-23 20:49:43 63,590 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-21 09:32:38 404,536 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-23 20:49:43 404,536 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=NOITSCAN.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-879983540-725345543-753218\Scripts\Logon\0\0]
"Script"=NOITSCAN.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accelerometersystrayapplet]
--a------ 2007-01-24 10:58 124928 C:\WINDOWS\system32\accelerometerST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\coemsgdisplay]
--a------ 2007-04-11 18:14 26624 C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\getit]
--a------ 2007-12-04 02:12 286720 C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 23:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotkeyscmds]
--a------ 2007-02-26 12:34 155648 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqsrmon]
--a------ 2008-03-13 09:34 81920 C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpwirelessassistant]
--a------ 2007-01-10 11:43 472776 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ida]
--a------ 2008-01-03 20:24 176128 C:\Program Files\Hewlett-Packard\PC COE\Ida.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2007-02-26 12:34 131072 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig7.0]
--a------ 2003-07-15 06:57 19520 C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig8.1]
--a------ 2004-08-03 23:32 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig9.0]
--a------ 2004-02-17 23:51 33992 C:\Program Files\Common Files\Microsoft Shared\IME\IMJP9\IMJPRMZB.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mspy2002]
--a------ 2004-08-03 23:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\persistence]
--a------ 2007-02-26 12:33 131072 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002a]
--a------ 2004-08-03 23:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002async]
--a------ 2004-08-03 23:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlbctrl]
--a------ 2007-03-05 12:24 159744 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quickpassword]
--a------ 2007-06-27 00:06 225280 C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smcservice]
--a------ 2005-08-05 19:22 2582240 C:\PROGRA~1\sygate\ssa\Smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soundmaxpnp]
--a------ 2007-01-05 18:36 872448 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-06-19 19:38 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syntpenh]
--a------ 2007-01-12 15:36 827392 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\watchdog]
--a------ 2006-09-05 15:32 184320 C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"C:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"=
"C:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadTray.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 acautoreg;ActivCard Gold Autoregister;C:\Program Files\Common Files\ActivCard\acautoreg.exe [2007-06-27 00:06]
R2 Accoca;ActivCard Gold service;C:\Program Files\Common Files\ActivCard\accoca.exe [2007-06-27 00:06]
R2 HPSygControl;HP Sygate Icon Control;C:\PROGRA~1\sygate\ssa\syg_hp.exe [2006-01-25 23:25]
R2 msralinkmonitor;MSRA Link Monitor;C:\Program Files\Remote tools\msraLinkMonitor.exe [2007-11-29 07:39]
R2 radexecd;HP OVCM Notify Daemon;C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2007-02-20 10:29]
R2 radsched;HP OVCM Scheduler Daemon;C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [2007-03-22 13:49]
R2 Radstgms;HP OVCM MSI Redirector;C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [2007-03-20 08:33]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;C:\WINDOWS\system32\DRIVERS\aksbus.sys [2007-04-06 08:16]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;C:\WINDOWS\system32\DRIVERS\akspcsc.sys [2007-06-27 00:06]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-09-19 18:58]
R3 RadiaMsi;RadiaMsi;C:\WINDOWS\system32\DRIVERS\radiamsi.sys [2007-08-03 10:31]
S3 actccid;ActivCard USB Reader V2;C:\WINDOWS\system32\DRIVERS\actccid.sys [2007-06-27 00:06]
S3 AKSIM;ActivKey Sim;C:\WINDOWS\system32\drivers\aksim.sys [2007-06-27 00:06]
S3 magaService;Lan Discover Agent;C:\Program Files\Sygate\SSA\maga\maga.exe [2005-08-05 19:18]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8E9DB7EF-5DD3-499E-BA2A-A1F3153A4DF8}]
msiexec.exe /fomus {8E9DB7EF-5DD3-499E-BA2A-A1F3153A4DF8} /qb!
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-ccapp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-vptray - C:\PROGRA~1\SYMANT~1\VPTray.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 23:10:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\sygate\ssa\Smc.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
.
**************************************************************************
.
Completion time: 2008-08-23 23:13:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-23 21:13:40
ComboFix2.txt 2008-08-22 16:05:53
ComboFix3.txt 2008-08-22 15:55:29
ComboFix4.txt 2008-08-21 12:07:52

Pre-Run: 47,874,531,328 bytes free
Post-Run: 47,911,936,000 bytes free

230

#12
kahdah

Posted 23 August 2008 - 03:57 PM

GeekU Teacher

Retired Staff
15,822 posts

Can you re-install Norton as it commonly has issues.

ALso please tell me what ,malware was removed so you could get back online.
If possible post the log.

#13
jaswantpurba

Posted 24 August 2008 - 05:08 AM

Member

Topic Starter
Member
15 posts

Hi

I updated Symantac Antivirus but when i ask system to update virus defination file an error occured (error is attached as a jpg file to the message)

Latest Malware cleaning log is also followed

Please suggest

regards
Jaswant

Malwarebytes' Anti-Malware 1.25
Database version: 1075
Windows 5.1.2600 Service Pack 2

22:41:21 2008-08-23
mbam-log-08-23-2008 (22-41-21).txt

Scan type: Quick Scan
Objects scanned: 46043
Time elapsed: 1 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\mbcsxcwn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nnnlmMdB.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nwlcdfbu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nnnollIa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qhxllomg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dtyrsy.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26cdec23-0531-43f1-907e-2ab3611b3da5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{26cdec23-0531-43f1-907e-2ab3611b3da5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70fe8c66-7182-4062-ba4d-b253d73a9807} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{70fe8c66-7182-4062-ba4d-b253d73a9807} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e3d5caf1-2707-40fb-8713-6b4f72e973f8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnollia (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8483d14e (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm87b0e2d2 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e3d5caf1-2707-40fb-8713-6b4f72e973f8} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnlmmdb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\nnnlmmdb -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dtyrsy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nnnlmMdB.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\BdMmlnnn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BdMmlnnn.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mbcsxcwn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nwcxscbm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nwlcdfbu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nnnollIa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qhxllomg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ermfjhxo.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhpur\Local Settings\Temporary Internet Files\Content.IE5\37JL1XR7\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\singhpur\Local Settings\Temporary Internet Files\Content.IE5\37JL1XR7\kb65666[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\singhpur\Local Settings\Temporary Internet Files\Content.IE5\N2N40ZP8\kb671231[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\singhpur\Local Settings\Temporary Internet Files\Content.IE5\SMUJF2A1\kb767887[1] (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM87b0e2d2.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM87b0e2d2.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Attached Thumbnails

#14
kahdah

Posted 24 August 2008 - 05:49 AM

GeekU Teacher

Retired Staff
15,822 posts

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

#15
jaswantpurba

Posted 24 August 2008 - 02:28 PM

Member

Topic Starter
Member
15 posts

Hi

online virus scan report is attached as required.

2nd please also let me know why I am not able to update my online virus definition file

regards
Jaswant

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 24, 2008 20:29:33
Records in database: 1141218

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
I:\
J:\
K:\
M:\

Scan statistics
Files scanned 51427
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 00:44:22

File name Threat name Threats count
C:\Documents and Settings\singhpur\Desktop\HP SAP Must read\As A Man Thinketh.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.qqq 1

The selected area was scanned.

Edited by jaswantpurba, 24 August 2008 - 03:14 PM.