Hi,
Thanks for the reply. I am attaching the logs of hijackthis, smitfraudfix and combofix. I hope atleast one could be of helpful to you.
Thanks once again and please help me. I almost wasted 48 hrs and I am exhausted.
Hijackthis logs:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:23:36, on 2008-11-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SAP\CN\CN.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\SAP\CN\cwaUpdater.exe
C:\Program Files\iPass\iPassConnect SAPVPN\iPCAgent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\iPass\iPassConnect SAPVPN\downloader\ipccheck.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\Documents and Settings\I820398\Desktop\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
http://proxy:8083R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = vmw2345;<local>;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e
http://localhost:16386/O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - .DEFAULT User Startup: DefaultUser.vbs (User 'Default user')
O4 - .DEFAULT User Startup: NM_conf.vbs (User 'Default user')
O4 - .DEFAULT User Startup: WLANConfig.vbs (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=58813O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) -
https://connectphl02...,2008,0514,2338O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) -
https://connectphl02...,2008,0701,2210O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) -
https://connectphl02...,2008,0514,2345O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) -
http://picasaweb.goo...s/uploader2.cabO16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) -
https://connectphl02...,2008,0514,2340O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) -
https://connectphl02...,2008,0701,2202O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1179238784976O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) -
https://connectphl02...,2008,0514,2341O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
https://sapsupport.w...ort/ieatgpc.cabO16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) -
https://connectphl03...,2008,0701,2205O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) -
https://connectphl02...,2008,0514,2348O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jhy.sap.corp,stm.sap.corp,phl.sap.corp,wdf.sap.corp,sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jhy.sap.corp,stm.sap.corp,phl.sap.corp,wdf.sap.corp,sap.corp
O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CN - SAP - C:\Program Files\SAP\CN\CN.exe
O23 - Service: cwaUpdater - SAP - C:\Program Files\SAP\CN\cwaUpdater.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect SAPVPN\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect SAPVPN\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: HP Enterprise Discovery Agent (prgnDiscAgent) - Unknown owner - C:\Program Files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RescueAccount - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 13634 bytes
Logs from combofix:ComboFix 08-11-24.03 - I820398 2008-11-25 13:02:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2335 [GMT -5:00]
Running from: c:\documents and settings\I820398\My Documents\My Data\Setup files\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\temp\tn3
c:\windows\IE4 Error Log.txt
c:\windows\system32\instsrv.exe
c:\windows\system32\prunnet.exe
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete
----- BITS: Possible infected sites -----
hxxp://wsuscorp:8530
hxxp://USPHLSMS1.PHL.SAP.CORP:1080
hxxp://USSTM003.STM.SAP.CORP:1080
.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.
2008-11-25 13:10 . 2008-11-25 13:10 <DIR> d-------- c:\temp\tn3
2008-11-25 12:33 . 2008-11-25 12:33 167,976 --------- c:\windows\system32\drivers\core.cache.dsk
2008-11-25 10:13 . 2008-11-25 10:13 <DIR> d-------- c:\program files\Lavasoft
2008-11-25 10:13 . 2008-11-25 10:13 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-24 12:41 . 2008-11-24 12:41 <DIR> d-------- c:\program files\Hewlett-Packard
2008-11-24 12:41 . 2008-11-24 12:41 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Peregrine
2008-11-24 06:11 . 2008-11-24 06:11 3,902 --a------ c:\windows\system32\tmp.reg
2008-11-24 06:03 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-24 06:03 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-24 06:03 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-24 06:03 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-24 06:03 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-24 06:03 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-24 06:03 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-24 06:03 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-24 06:03 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-24 06:03 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-23 15:43 . 2008-11-25 10:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-23 15:04 . 2008-11-25 10:12 420 --a------ c:\windows\wininit.ini
2008-11-23 09:18 . 2008-11-23 09:39 <DIR> d-------- c:\documents and settings\I820398\Application Data\NI.GSCNS
2008-11-23 09:10 . 2008-11-23 09:10 <DIR> d-------- c:\windows\system32\mp
2008-11-23 09:10 . 2008-11-23 09:10 <DIR> d-------- c:\windows\system32\ID2
2008-11-23 09:10 . 2008-11-23 09:10 <DIR> d-------- c:\windows\system32\gp2
2008-11-23 09:10 . 2008-11-23 09:10 <DIR> d-------- c:\temp\FT62
2008-11-23 09:10 . 2008-11-23 09:10 86,272 --a------ c:\windows\system32\drivers\ndiss.sys
2008-11-23 09:10 . 2008-11-23 09:10 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-23 09:10 . 2008-11-23 09:10 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-17 08:27 . 2008-11-17 08:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Email Backup Optimization
2008-11-17 08:26 . 2008-11-17 08:26 <DIR> d-------- c:\program files\Iron Mountain
2008-10-31 13:03 . 2004-03-08 23:00 124,688 --a------ c:\windows\system32\MSWINSCK.OCX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 18:11 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-11-25 17:34 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2008-11-25 15:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 15:00 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-24 15:58 51,304 ----a-w c:\windows\system32\drivers\atnt40k.sys
2008-11-24 15:58 --------- d-----w c:\documents and settings\I820398\Application Data\webex
2008-11-24 11:11 --------- d-----w c:\program files\Google
2008-11-17 13:33 --------- d-----w c:\program files\Connected
2008-10-31 19:25 --------- d-----w c:\documents and settings\I820398\Application Data\VMware
2008-10-31 18:57 --------- d-----w c:\program files\BPC
2008-10-16 19:26 --------- d-----w c:\program files\Microsoft IntelliType Pro
2008-10-16 19:25 --------- d-----w c:\program files\MSXML 6.0
2008-10-16 19:14 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2008-10-10 16:44 --------- d-----w c:\documents and settings\I820398\Application Data\FileZilla
2007-12-11 07:55 626,688 ----a-w c:\program files\Common Files\sapconsaccess.dll
2007-12-11 07:55 40,960 ----a-w c:\program files\Common Files\DigitalSignature.ocx
2007-12-11 07:55 3,125,248 ----a-w c:\program files\Common Files\sapxlhelper.dll
2007-12-11 07:55 192,512 ----a-w c:\program files\Common Files\sapconsr3.dll
2007-12-11 07:55 1,229,312 ----a-w c:\program files\Common Files\SAPActiveXL_nosig.xlt
2007-12-11 07:55 1,167,872 ----a-w c:\program files\Common Files\SAPActiveXL.xlt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\Msmsgs.exe" [2005-05-09 1658080]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-01-02 136512]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"Dell QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2006-06-29 1032192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-17 185896]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2008-05-15 55856]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"AgentUiRunKey"="c:\program files\Iron Mountain\Connected BackupPC\Agent.exe" [2008-04-24 239104]
"nwiz"="nwiz.exe" [2006-01-19 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-01-19 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
c:\documents and settings\C5103281\Start Menu\Programs\Startup\
DefaultUser.vbs [2005-05-05 1335]
NM_conf.vbs [2006-10-12 7667]
WLANConfig.vbs [2006-02-21 2593]
c:\documents and settings\I820398\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RAinit]
2008-03-07 12:34 11520 c:\windows\system32\RAinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
R1 ndiss;ndiss;c:\windows\system32\drivers\ndiss.sys [2008-11-23 86272]
R2 AgentService;AgentService;"c:\program files\Iron Mountain\Connected BackupPC\AgentService.exe" -p 16386 [2008-04-24 6311936]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2007-04-13 590712]
R2 cwaUpdater;cwaUpdater;"c:\program files\SAP\CN\cwaUpdater.exe" [2008-07-16 40856]
R2 iPCAgent;iPCAgent;c:\program files\iPass\iPassConnect SAPVPN\iPCAgent.exe [2007-05-15 90112]
R2 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker.sys [2008-04-24 45384]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\DRIVERS\mdc80211.sys [2007-05-15 15793]
R2 prgnDiscAgent;HP Enterprise Discovery Agent;"c:\program files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe" [2008-10-15 1220608]
R2 RAInfo;RemotelyAnywhere Kernel Information Provider;\??\c:\program files\RemotelyAnywhere\RaInfo.sys [2006-09-11 11136]
R2 RescueAccount;RescueAccount;c:\windows\system32\srvany.exe [2008-03-07 15872]
R3 ramirr;ramirr;c:\windows\system32\DRIVERS\ramirr.sys [2006-09-11 8064]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [2007-02-22 27000]
S2 CN;CN;"c:\program files\SAP\CN\CN.exe" [2008-06-23 36760]
S3 f5ipfw;F5 Networks StoneWall Filter;\??\c:\windows\system32\drivers\urfltw2k.sys [2008-03-07 10744]
S3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2007-04-13 23416]
S3 RapFile;RapFile;\??\c:\windows\system32\drivers\RapFile.sys [2007-05-15 36676]
S3 RapNet;RapNet;\??\c:\windows\system32\drivers\RapNet.sys [2007-05-15 24344]
S4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2007-05-15 229367]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74ab0754-1aad-11dd-bd1e-001c23881195}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
*Newly Created Service* - CN
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{87030193-D33F-4A27-9758-5048FF2B9116}]
c:\windows\system32\msiexec.exe /fu {87030193-D33F-4A27-9758-5048FF2B9116} /qn
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
%
.
Contents of the 'Scheduled Tasks' folder
2008-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-11-25 13:09:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1040)
c:\windows\system32\RAinit.dll
- - - - - - - > 'lsass.exe'(1096)
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\ISS\issSensors\DesktopProtection\blackd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\ISS\issSensors\DesktopProtection\blackice.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\mcshield.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\iPass\iPassConnect SAPVPN\downloader\ipccheck.exe
c:\windows\system32\locator.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-25 13:14:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-25 18:14:24
Pre-Run: 12,976,975,872 bytes free
Post-Run: 12,978,286,592 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=alwaysoff /fastdetect
247 --- E O F --- 2008-09-20 16:00:50
Logs from smitfraudfix:SmitFraudFix v2.376
Scan done at 6:10:55.68, Mon 11/24/2008
Run from C:\Documents and Settings\I820398\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\vtr???.dll Deleted
C:\Program Files\Google\googletoolbar1.dll Deleted
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 10.4.12.200
DNS Server Search Order: 10.48.130.100
Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{0CC60AD8-E012-4262-9678-55AF2B5819C0}: DhcpNameServer=10.4.12.200 10.48.130.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5A47D416-1163-46DF-8ECE-67E302AD5D49}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0CC60AD8-E012-4262-9678-55AF2B5819C0}: DhcpNameServer=10.4.12.200 10.48.130.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5A47D416-1163-46DF-8ECE-67E302AD5D49}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0CC60AD8-E012-4262-9678-55AF2B5819C0}: DhcpNameServer=10.4.12.200 10.48.130.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5A47D416-1163-46DF-8ECE-67E302AD5D49}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End