Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Smitfraud-c.coreservice Trojan

Started by TiTna , Nov 25 2008 01:47 PM

  • Please log in to reply

#1
TiTna
Posted 25 November 2008 - 01:47 PM

TiTna

    New Member

  • Member
  • Pip
  • 5 posts
Hi,
My system has been infected with the Trojan spyware or malware or virus. After I ran Spybot - it showed Smitfraud-c.coreservice trojan and location it shows as C\windows\system32\drivers\core.cache.dsk. Spybot deletes but then it gets created again. Because of which whenever I click on internet explorer , some additional sites open which is really annoying. They keep on poping up.

I ran spybot - No use
I ran Adware-lavasoft - no use
I ran Macafee virus - no use
I ran smitfraud fix - no use
I ran combofix - no use.

The file keeps on coming back because of which additional sites keeps on poping up in my system.

Can anyone please help me with this.

Thank you inadvance.
Tina
  • 0

Advertisements

#2
shannianni
Posted 25 November 2008 - 03:03 PM

shannianni

    Member

  • Member
  • PipPipPip
  • 926 posts
Hi TITna

Welcome to Geeks to Go My name is Shannianni


Before we start I would like you to read and run through the programs that are on this page - Please read.

Then can you please post the required logs so that I can analyze them, I am currently in training at the moment so there will be a slight delay in replying as i need some time to fully analyze your Hijackthis Log, and it will need to be checked by an expert prior to me posting, so please be patient.


If you cannot perform any of the instructions or you have any questions you would like to ask then please let me know, I dont bite. :)


LOGS REQUIRED
HIJACKTHIS


Many Thanks

Shannianni.

Edited by shannianni, 25 November 2008 - 03:10 PM.

  • 0

#3
TiTna
Posted 25 November 2008 - 04:41 PM

TiTna

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi,
Thanks for the reply. I am attaching the logs of hijackthis, smitfraudfix and combofix. I hope atleast one could be of helpful to you.

Thanks once again and please help me. I almost wasted 48 hrs and I am exhausted.

Hijackthis logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:23:36, on 2008-11-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SAP\CN\CN.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\SAP\CN\cwaUpdater.exe
C:\Program Files\iPass\iPassConnect SAPVPN\iPCAgent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\iPass\iPassConnect SAPVPN\downloader\ipccheck.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\Documents and Settings\I820398\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8083
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = vmw2345;<local>;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - .DEFAULT User Startup: DefaultUser.vbs (User 'Default user')
O4 - .DEFAULT User Startup: NM_conf.vbs (User 'Default user')
O4 - .DEFAULT User Startup: WLANConfig.vbs (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connectphl02...,2008,0514,2338
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://connectphl02...,2008,0701,2210
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connectphl02...,2008,0514,2345
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.goo...s/uploader2.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://connectphl02...,2008,0514,2340
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://connectphl02...,2008,0701,2202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1179238784976
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://connectphl02...,2008,0514,2341
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sapsupport.w...ort/ieatgpc.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://connectphl03...,2008,0701,2205
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://connectphl02...,2008,0514,2348
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jhy.sap.corp,stm.sap.corp,phl.sap.corp,wdf.sap.corp,sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jhy.sap.corp,stm.sap.corp,phl.sap.corp,wdf.sap.corp,sap.corp
O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CN - SAP - C:\Program Files\SAP\CN\CN.exe
O23 - Service: cwaUpdater - SAP - C:\Program Files\SAP\CN\cwaUpdater.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect SAPVPN\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect SAPVPN\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: HP Enterprise Discovery Agent (prgnDiscAgent) - Unknown owner - C:\Program Files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RescueAccount - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 13634 bytes


Logs from combofix:

ComboFix 08-11-24.03 - I820398 2008-11-25 13:02:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2335 [GMT -5:00]
Running from: c:\documents and settings\I820398\My Documents\My Data\Setup files\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\temp\tn3
c:\windows\IE4 Error Log.txt
c:\windows\system32\instsrv.exe
c:\windows\system32\prunnet.exe
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://wsuscorp:8530
hxxp://USPHLSMS1.PHL.SAP.CORP:1080
hxxp://USSTM003.STM.SAP.CORP:1080
.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-25 13:10 . 2008-11-25 13:10 <DIR> d-------- c:\temp\tn3
2008-11-25 12:33 . 2008-11-25 12:33 167,976 --------- c:\windows\system32\drivers\core.cache.dsk
2008-11-25 10:13 . 2008-11-25 10:13 <DIR> d-------- c:\program files\Lavasoft
2008-11-25 10:13 . 2008-11-25 10:13 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-24 12:41 . 2008-11-24 12:41 <DIR> d-------- c:\program files\Hewlett-Packard
2008-11-24 12:41 . 2008-11-24 12:41 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Peregrine
2008-11-24 06:11 . 2008-11-24 06:11 3,902 --a------ c:\windows\system32\tmp.reg
2008-11-24 06:03 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-24 06:03 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-24 06:03 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-24 06:03 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-24 06:03 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-24 06:03 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-24 06:03 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-24 06:03 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-24 06:03 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-24 06:03 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-23 15:43 . 2008-11-25 10:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-23 15:04 . 2008-11-25 10:12 420 --a------ c:\windows\wininit.ini
2008-11-23 09:18 . 2008-11-23 09:39 <DIR> d-------- c:\documents and settings\I820398\Application Data\NI.GSCNS
2008-11-23 09:10 . 2008-11-23 09:10 <DIR> d-------- c:\windows\system32\mp
2008-11-23 09:10 . 2008-11-23 09:10 <DIR> d-------- c:\windows\system32\ID2
2008-11-23 09:10 . 2008-11-23 09:10 <DIR> d-------- c:\windows\system32\gp2
2008-11-23 09:10 . 2008-11-23 09:10 <DIR> d-------- c:\temp\FT62
2008-11-23 09:10 . 2008-11-23 09:10 86,272 --a------ c:\windows\system32\drivers\ndiss.sys
2008-11-23 09:10 . 2008-11-23 09:10 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-23 09:10 . 2008-11-23 09:10 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-17 08:27 . 2008-11-17 08:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Email Backup Optimization
2008-11-17 08:26 . 2008-11-17 08:26 <DIR> d-------- c:\program files\Iron Mountain
2008-10-31 13:03 . 2004-03-08 23:00 124,688 --a------ c:\windows\system32\MSWINSCK.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 18:11 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-11-25 17:34 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2008-11-25 15:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 15:00 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-24 15:58 51,304 ----a-w c:\windows\system32\drivers\atnt40k.sys
2008-11-24 15:58 --------- d-----w c:\documents and settings\I820398\Application Data\webex
2008-11-24 11:11 --------- d-----w c:\program files\Google
2008-11-17 13:33 --------- d-----w c:\program files\Connected
2008-10-31 19:25 --------- d-----w c:\documents and settings\I820398\Application Data\VMware
2008-10-31 18:57 --------- d-----w c:\program files\BPC
2008-10-16 19:26 --------- d-----w c:\program files\Microsoft IntelliType Pro
2008-10-16 19:25 --------- d-----w c:\program files\MSXML 6.0
2008-10-16 19:14 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2008-10-10 16:44 --------- d-----w c:\documents and settings\I820398\Application Data\FileZilla
2007-12-11 07:55 626,688 ----a-w c:\program files\Common Files\sapconsaccess.dll
2007-12-11 07:55 40,960 ----a-w c:\program files\Common Files\DigitalSignature.ocx
2007-12-11 07:55 3,125,248 ----a-w c:\program files\Common Files\sapxlhelper.dll
2007-12-11 07:55 192,512 ----a-w c:\program files\Common Files\sapconsr3.dll
2007-12-11 07:55 1,229,312 ----a-w c:\program files\Common Files\SAPActiveXL_nosig.xlt
2007-12-11 07:55 1,167,872 ----a-w c:\program files\Common Files\SAPActiveXL.xlt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\Msmsgs.exe" [2005-05-09 1658080]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-01-02 136512]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"Dell QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2006-06-29 1032192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-17 185896]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2008-05-15 55856]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"AgentUiRunKey"="c:\program files\Iron Mountain\Connected BackupPC\Agent.exe" [2008-04-24 239104]
"nwiz"="nwiz.exe" [2006-01-19 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-01-19 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\C5103281\Start Menu\Programs\Startup\
DefaultUser.vbs [2005-05-05 1335]
NM_conf.vbs [2006-10-12 7667]
WLANConfig.vbs [2006-02-21 2593]

c:\documents and settings\I820398\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RAinit]
2008-03-07 12:34 11520 c:\windows\system32\RAinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

R1 ndiss;ndiss;c:\windows\system32\drivers\ndiss.sys [2008-11-23 86272]
R2 AgentService;AgentService;"c:\program files\Iron Mountain\Connected BackupPC\AgentService.exe" -p 16386 [2008-04-24 6311936]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2007-04-13 590712]
R2 cwaUpdater;cwaUpdater;"c:\program files\SAP\CN\cwaUpdater.exe" [2008-07-16 40856]
R2 iPCAgent;iPCAgent;c:\program files\iPass\iPassConnect SAPVPN\iPCAgent.exe [2007-05-15 90112]
R2 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker.sys [2008-04-24 45384]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\DRIVERS\mdc80211.sys [2007-05-15 15793]
R2 prgnDiscAgent;HP Enterprise Discovery Agent;"c:\program files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe" [2008-10-15 1220608]
R2 RAInfo;RemotelyAnywhere Kernel Information Provider;\??\c:\program files\RemotelyAnywhere\RaInfo.sys [2006-09-11 11136]
R2 RescueAccount;RescueAccount;c:\windows\system32\srvany.exe [2008-03-07 15872]
R3 ramirr;ramirr;c:\windows\system32\DRIVERS\ramirr.sys [2006-09-11 8064]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [2007-02-22 27000]
S2 CN;CN;"c:\program files\SAP\CN\CN.exe" [2008-06-23 36760]
S3 f5ipfw;F5 Networks StoneWall Filter;\??\c:\windows\system32\drivers\urfltw2k.sys [2008-03-07 10744]
S3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2007-04-13 23416]
S3 RapFile;RapFile;\??\c:\windows\system32\drivers\RapFile.sys [2007-05-15 36676]
S3 RapNet;RapNet;\??\c:\windows\system32\drivers\RapNet.sys [2007-05-15 24344]
S4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2007-05-15 229367]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74ab0754-1aad-11dd-bd1e-001c23881195}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CN

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{87030193-D33F-4A27-9758-5048FF2B9116}]
c:\windows\system32\msiexec.exe /fu {87030193-D33F-4A27-9758-5048FF2B9116} /qn

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
%
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 13:09:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)
c:\windows\system32\RAinit.dll

- - - - - - - > 'lsass.exe'(1096)
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\ISS\issSensors\DesktopProtection\blackd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\ISS\issSensors\DesktopProtection\blackice.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\mcshield.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\iPass\iPassConnect SAPVPN\downloader\ipccheck.exe
c:\windows\system32\locator.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-25 13:14:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-25 18:14:24

Pre-Run: 12,976,975,872 bytes free
Post-Run: 12,978,286,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=alwaysoff /fastdetect

247 --- E O F --- 2008-09-20 16:00:50


Logs from smitfraudfix:

SmitFraudFix v2.376

Scan done at 6:10:55.68, Mon 11/24/2008
Run from C:\Documents and Settings\I820398\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\vtr???.dll Deleted
C:\Program Files\Google\googletoolbar1.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 10.4.12.200
DNS Server Search Order: 10.48.130.100

Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0CC60AD8-E012-4262-9678-55AF2B5819C0}: DhcpNameServer=10.4.12.200 10.48.130.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5A47D416-1163-46DF-8ECE-67E302AD5D49}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0CC60AD8-E012-4262-9678-55AF2B5819C0}: DhcpNameServer=10.4.12.200 10.48.130.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5A47D416-1163-46DF-8ECE-67E302AD5D49}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0CC60AD8-E012-4262-9678-55AF2B5819C0}: DhcpNameServer=10.4.12.200 10.48.130.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5A47D416-1163-46DF-8ECE-67E302AD5D49}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
shannianni
Posted 27 November 2008 - 08:45 AM

shannianni

    Member

  • Member
  • PipPipPip
  • 926 posts
Hi TITna

I haven't forgotten about you, trying to work around my work commitments aswell.
Just hang in there and we will have a fix for you soon. :)

Many Thanks

Shannianni
  • 0

#5
TiTna
Posted 29 November 2008 - 02:40 PM

TiTna

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi,

Ok I would wait for your reply.

Thank you,
Best regards,
S.Sushma
  • 0

#6
TiTna
Posted 02 December 2008 - 01:51 PM

TiTna

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi,

It's almost 6 days, please can you help me. My work is getting effected as this is my office system and its not even allowing me to access my office web sites. I can re-image my system but i want to avoid it as i have lots of data and so many softwares installed.

Can I expect reply soon. Is their a way to remove this from my system.

Thank you,
Best regards,
Tina
  • 0

#7
shannianni
Posted 06 December 2008 - 07:21 AM

shannianni

    Member

  • Member
  • PipPipPip
  • 926 posts
Hi TITna

sorry for the delay a few health issues, right lets begin.

Set Explorer to view Hidden Files and Folders:
  • Right-click your Start button and go to "Explore".
  • Select Tools from the menu
  • Select Folder Options
  • Select the View tab
  • Click on Show all Files and Folders
  • Select Apply to All Folders | Yes | Apply | OK.
Go to this link, fill in your username and the link to this thread, then click on browse and locate this file on your computer, then click on "send file".

c:\windows\system32\drivers\ndiss.sys

Set Explorer to Defaults:
  • Right-click your Start button and go to "Explore".
  • Select Tools from the menu
  • Select Folder Options
  • Select the View tab
  • Click on Restore Defaults
  • Select Apply to All Folders | Yes | Apply | OK


NEXT

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • c:\program files\SAP\CN\cwaUpdater.exe
  • Click on the submit button
  • Please post the results in your next reply.


NEXT

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


LOGS REQUIRED
MALWAREBYTES
ALSO A NEW RSIT LOG
  • 0

#8
TiTna
Posted 17 December 2008 - 06:09 PM

TiTna

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi,

Thanks for the reply. My system gave so much problem with those pop ups that my office has blocked my access and they had immediately replaced my system with another one on 2nd itself. So I cannot carry out your suggestions. Anyways thanks for your time and help.

regards,
Tina
  • 0

#9
shannianni
Posted 19 December 2008 - 04:45 AM

shannianni

    Member

  • Member
  • PipPipPip
  • 926 posts
Hi Tina

No Problems, thanks for letting me know

Regards

Shannianni.

Consider this one closed
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP