Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Spyware Sinowal.Trojan PLEASE HELP [RESOLVED]

Started by Vishal64 , Dec 05 2008 10:31 AM

This topic is locked

#1
Vishal64

Posted 05 December 2008 - 10:31 AM

New Member

Member
6 posts

My laptop is infected with the Sinowal.Trojan, at least that's the only one I know off. I get frequent pops from Security Center Alert Do you want to block this suspicious software with the keep blocking and unblock buttons dehighlighted and Enable protection highlighted. The message says that the trojan records keystorkes and takes screenshots telaing financial information. Launching Internet explorer I get a message wether I want to browse in unsecure mode. Uploading Hijackthis log and screenshot of error message.

Any help and suggestions are appericiated.
Regards,
Vishal64

Hijackthis log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:34 AM, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\program files\cscmarimba\tuner\Tuner.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\cscmarimba\tuner\lib\minituner.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust Antivirus\InocIT.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet

Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} -

C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet

Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://portal.csc.com/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=58813
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://amer-ml31.am...om/iNotes6W.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - https://amer-

ml31.amer.csc.com/download/dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.mi...b?1182819932390
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) -

http://216.138.75.38...hecker_8198.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex..../v_mywebex-t20-

pso-attdevel2/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://eportal.brooks.com/dana-

cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.globalcsc.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.globalcsc.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.globalcsc.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program

Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: cscmarimba - BMC Software, Inc. - C:\program files\cscmarimba\tuner\Tuner.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision

Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

--
End of file - 12040 bytes

Attached Thumbnails

Attached Files

Hijackthis_logfile_12_5_08_11am.rtf 13.1KB 265 downloads

#2
Rorschach112

Posted 05 December 2008 - 11:03 AM

Ralphie

Retired Staff
47,710 posts

Open notepad, click Format, uncheck wordwrap

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

#3
Vishal64

Posted 05 December 2008 - 11:28 AM

New Member

Topic Starter
Member
6 posts

Thanks for your help. Uploading lopR logfile and previously posted Hijackthis log file with wordwrap unchecked.
Thanks,
Vishal.

--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : Intel® Pentium® M processor 1.86GHz )
BIOS : Phoenix FirstBIOS™ Notebook Pro Version 2.0 for IBM ThinkPad
USER : VGandhi ( Not Administrator ! )
BOOT : Normal boot
Antivirus : eTrust Antivirus 7.1 (Activated)
C:\ (Local Disk) - NTFS - Total:55 Go (Free:5 Go)
D:\ (CD or DVD)
H:\ (Network Disk)
P:\ (Network Disk)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( Fri 12/05/2008|12:22 )

--------------------\\ Listing folders in APPLIC~1

[06/27/2007|11:05] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Adobe
[03/28/2005|09:17] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[07/25/2005|09:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> InterVideo
[06/27/2007|11:05] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Macromedia
[01/02/2008|08:40] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[04/09/2008|03:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[06/14/2008|02:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[06/14/2008|02:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[11/28/2008|08:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> FLEXnet
[05/04/2008|10:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP
[03/28/2005|09:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[06/27/2007|08:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intel
[12/05/2008|09:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Juniper Networks
[07/13/2008|09:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[04/24/2008|03:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[11/29/2008|12:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft Help
[06/25/2007|08:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Office Genuine Advantage
[10/19/2008|06:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Skype
[07/27/2005|10:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[04/11/2008|01:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WLInstaller

[08/17/2008|10:55] C:\DOCUME~1\CGadmin\APPLIC~1\<DIR> Adobe
[03/28/2005|09:17] C:\DOCUME~1\CGadmin\APPLIC~1\<DIR> Identities
[08/17/2008|10:55] C:\DOCUME~1\CGadmin\APPLIC~1\<DIR> Intel
[07/27/2005|10:32] C:\DOCUME~1\CGadmin\APPLIC~1\<DIR> InterVideo
[11/20/2005|09:55] C:\DOCUME~1\CGadmin\APPLIC~1\<DIR> Macromedia
[08/17/2008|10:55] C:\DOCUME~1\CGadmin\APPLIC~1\<DIR> Microsoft
[01/02/2008|05:10] C:\DOCUME~1\CGadmin\APPLIC~1\<DIR> OfficeUpdate12
[08/17/2008|10:55] C:\DOCUME~1\CGadmin\APPLIC~1\<DIR> Real
[06/25/2007|07:02] C:\DOCUME~1\CGadmin\APPLIC~1\<DIR> Sonic

[06/27/2007|11:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Adobe
[03/28/2005|09:17] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities
[07/25/2005|09:34] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> InterVideo
[06/27/2007|11:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Macromedia
[07/28/2005|03:23] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[05/01/2008|09:04] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Intel
[03/28/2005|08:32] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[01/05/2008|09:19] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Intel
[03/28/2005|08:32] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[04/09/2008|03:27] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Adobe
[07/05/2008|01:53] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Apple Computer
[11/29/2008|08:48] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> DivX
[12/05/2008|10:11] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Google
[06/14/2008|02:16] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> IBM
[03/28/2005|09:17] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Identities
[04/11/2008|12:23] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Intel
[07/25/2005|09:34] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> InterVideo
[12/05/2008|09:34] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Juniper Networks
[09/25/2008|08:08] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Macromedia
[07/12/2008|10:55] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Microsoft
[11/28/2008|09:38] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Mozilla
[05/31/2008|03:46] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Real
[10/19/2008|06:46] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Skype
[10/19/2008|06:21] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> skypePM
[04/09/2008|02:27] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> Sun
[10/15/2008|01:47] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> U3
[06/27/2008|08:34] C:\DOCUME~1\vgandhi\APPLIC~1\<DIR> webex

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[08/23/2001 08:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini
[12/05/2008 10:07 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT

--------------------\\ Listing Folders in C:\Program Files

[06/27/2007|10:11] C:\Program Files\<DIR> 2142_Fiberlink
[11/07/2008|02:05] C:\Program Files\<DIR> Adobe
[07/25/2005|11:04] C:\Program Files\<DIR> Analog Devices
[07/25/2008|02:38] C:\Program Files\<DIR> AnalogX
[06/14/2008|02:04] C:\Program Files\<DIR> Apple Software Update
[04/07/2006|11:46] C:\Program Files\<DIR> CA
[11/29/2008|08:52] C:\Program Files\<DIR> Common Files
[03/28/2005|08:11] C:\Program Files\<DIR> ComPlus Applications
[07/25/2005|11:02] C:\Program Files\<DIR> CONEXANT
[06/25/2007|07:27] C:\Program Files\<DIR> CSC
[08/11/2006|06:39] C:\Program Files\<DIR> CSC EAV Config
[11/13/2008|01:51] C:\Program Files\<DIR> CSC Nortel VPN Client
[04/09/2008|01:34] C:\Program Files\<DIR> cscmarimba
[11/29/2008|12:52] C:\Program Files\<DIR> DivX
[07/25/2005|02:46] C:\Program Files\<DIR> DTM
[07/25/2008|04:51] C:\Program Files\<DIR> ffdshow
[05/04/2008|10:34] C:\Program Files\<DIR> Hewlett-Packard
[05/04/2008|10:34] C:\Program Files\<DIR> HP
[07/25/2005|09:55] C:\Program Files\<DIR> IBM
[09/30/2008|06:30] C:\Program Files\<DIR> InstallShield Installation Information
[07/11/2007|09:02] C:\Program Files\<DIR> Intel
[10/29/2008|06:51] C:\Program Files\<DIR> Internet Explorer
[06/27/2007|08:17] C:\Program Files\<DIR> InterVideo
[07/25/2005|10:52] C:\Program Files\<DIR> ISS
[01/02/2008|04:54] C:\Program Files\<DIR> Java
[11/29/2008|08:53] C:\Program Files\<DIR> Lavasoft
[08/16/2005|05:23] C:\Program Files\<DIR> Lotus
[04/21/2008|01:09] C:\Program Files\<DIR> Lotus iNotes
[08/16/2008|10:35] C:\Program Files\<DIR> Messenger
[03/28/2005|08:26] C:\Program Files\<DIR> microsoft frontpage
[04/09/2008|03:18] C:\Program Files\<DIR> Microsoft Office
[03/28/2005|08:51] C:\Program Files\<DIR> Microsoft Visual Studio
[01/02/2008|04:07] C:\Program Files\<DIR> Microsoft Visual Studio 8
[01/02/2008|04:02] C:\Program Files\<DIR> Microsoft Works
[01/02/2008|04:01] C:\Program Files\<DIR> Microsoft.NET
[03/28/2005|08:12] C:\Program Files\<DIR> Movie Maker
[12/05/2008|11:15] C:\Program Files\<DIR> Mozilla Firefox
[01/02/2008|04:02] C:\Program Files\<DIR> MSBuild
[01/05/2008|08:56] C:\Program Files\<DIR> MSECache
[03/28/2005|08:10] C:\Program Files\<DIR> MSN
[07/25/2005|10:51] C:\Program Files\<DIR> msn gaming zone
[06/25/2007|07:30] C:\Program Files\<DIR> MSXML 4.0
[11/15/2008|04:11] C:\Program Files\<DIR> MSXML 6.0
[04/09/2008|02:28] C:\Program Files\<DIR> Neoteris
[03/28/2005|08:12] C:\Program Files\<DIR> NetMeeting
[06/25/2007|08:15] C:\Program Files\<DIR> Outlook Express
[01/02/2008|04:53] C:\Program Files\<DIR> Patches
[08/17/2005|12:02] C:\Program Files\<DIR> PC-Doctor for Windows
[06/14/2008|02:05] C:\Program Files\<DIR> QuickTime
[05/31/2008|03:44] C:\Program Files\<DIR> Real
[04/09/2008|01:19] C:\Program Files\<DIR> SecurID Software Token
[04/27/2006|10:49] C:\Program Files\<DIR> SkillSoft
[10/19/2008|06:18] C:\Program Files\<DIR> Skype
[06/01/2008|10:10] C:\Program Files\<DIR> SoftwareRevenue.org
[06/25/2007|07:00] C:\Program Files\<DIR> Sonic
[07/25/2005|11:04] C:\Program Files\<DIR> Synaptics
[06/27/2007|09:16] C:\Program Files\<DIR> ThinkPad
[12/05/2008|10:43] C:\Program Files\<DIR> Trend Micro
[03/28/2005|08:26] C:\Program Files\<DIR> Uninstall Information
[04/11/2008|01:55] C:\Program Files\<DIR> Windows Live
[12/05/2008|12:16] C:\Program Files\<DIR> Windows Live Safety Center
[04/07/2006|04:43] C:\Program Files\<DIR> Windows Media Player
[03/28/2005|08:10] C:\Program Files\<DIR> Windows NT
[03/28/2005|08:13] C:\Program Files\<DIR> WindowsUpdate
[05/31/2008|12:08] C:\Program Files\<DIR> WinRAR
[03/28/2005|09:07] C:\Program Files\<DIR> Winzip 9.0
[06/25/2007|07:15] C:\Program Files\<DIR> WSUS Client
[03/28/2005|08:26] C:\Program Files\<DIR> xerox
[06/02/2008|09:03] C:\Program Files\<DIR> Xvid

--------------------\\ Listing Folders in C:\Program Files\Common Files

[04/09/2008|03:27] C:\Program Files\Common Files\<DIR> Adobe
[01/02/2008|04:01] C:\Program Files\Common Files\<DIR> DESIGNER
[07/25/2005|12:28] C:\Program Files\Common Files\<DIR> Fiberlink
[04/13/2008|01:16] C:\Program Files\Common Files\<DIR> Hewlett-Packard
[05/04/2008|10:36] C:\Program Files\Common Files\<DIR> HP
[07/25/2005|11:04] C:\Program Files\Common Files\<DIR> InstallShield
[01/02/2008|04:53] C:\Program Files\Common Files\<DIR> Java
[03/28/2005|09:11] C:\Program Files\Common Files\<DIR> Lotus
[04/09/2008|03:27] C:\Program Files\Common Files\<DIR> Macrovision Shared
[04/11/2008|01:57] C:\Program Files\Common Files\<DIR> Microsoft Shared
[03/28/2005|08:12] C:\Program Files\Common Files\<DIR> MSSoap
[03/28/2005|03:05] C:\Program Files\Common Files\<DIR> ODBC
[04/21/2008|12:11] C:\Program Files\Common Files\<DIR> Oracle
[05/31/2008|03:44] C:\Program Files\Common Files\<DIR> Real
[03/28/2005|08:12] C:\Program Files\Common Files\<DIR> Services
[10/19/2008|06:18] C:\Program Files\Common Files\<DIR> Skype
[03/28/2005|03:05] C:\Program Files\Common Files\<DIR> SpeechEngines
[06/25/2007|07:00] C:\Program Files\Common Files\<DIR> SureThing Shared
[01/02/2008|04:08] C:\Program Files\Common Files\<DIR> System
[04/11/2008|01:55] C:\Program Files\Common Files\<DIR> WindowsLiveInstaller
[11/29/2008|08:52] C:\Program Files\Common Files\<DIR> Wise Installation Wizard
[05/31/2008|03:44] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 64 Processes )

iexplore.exe ~ [PID:1068]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\vgandhi\Cookies\[email protected][1].txt
C:\DOCUME~1\vgandhi\Cookies\vgandhi@advertising[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]

[F:569][D:36]-> C:\DOCUME~1\vgandhi\LOCALS~1\Temp
[F:166][D:0]-> C:\DOCUME~1\vgandhi\Cookies
[F:6103][D:18]-> C:\DOCUME~1\vgandhi\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Fri 12/05/2008|12:25 - Option : [1]

--------------------\\ Scan completed at 12:25:47

Attached Files

hijackthis_12_5_08_11am_wordwrap_unchecked.txt 11.76KB 274 downloads

#4
Rorschach112

Posted 05 December 2008 - 11:31 AM

Ralphie

Retired Staff
47,710 posts

Hello

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

#5
Vishal64

Posted 05 December 2008 - 12:46 PM

New Member

Topic Starter
Member
6 posts

Ran ComboFix.exe uploading combofix.txt. Machine still infected.

ComboFix 08-12-05.01 - VGandhi 2008-12-05 13:27:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT -5:00]
Running from: c:\documents and settings\vgandhi\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 12:14 . 2008-12-05 12:25 <DIR> d-------- C:\Lop SD
2008-12-05 12:12 . 2008-12-05 12:16 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-05 10:43 . 2008-12-05 10:43 <DIR> d-------- c:\program files\Trend Micro
2008-11-29 20:52 . 2008-11-29 20:52 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 12:54 . 2008-11-29 20:48 <DIR> d-------- c:\documents and settings\vgandhi\Application Data\DivX
2008-11-29 12:52 . 2008-09-19 16:57 129,784 --------- c:\windows\system32\pxafs.dll
2008-11-29 12:52 . 2008-09-19 16:57 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-29 12:52 . 2008-09-19 16:57 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-11-29 12:51 . 2008-11-29 12:52 <DIR> d-------- c:\program files\DivX
2008-11-28 21:38 . 2008-11-28 21:38 0 --a------ c:\windows\nsreg.dat
2008-11-15 16:11 . 2008-11-15 16:11 <DIR> d-------- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 14:34 --------- d-----w c:\documents and settings\vgandhi\Application Data\Juniper Networks
2008-12-05 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2008-11-30 01:53 --------- d-----w c:\program files\Lavasoft
2008-11-29 17:18 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-28 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-13 18:51 --------- d-----w c:\program files\CSC Nortel VPN Client
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 11:46 --------- d-----w c:\documents and settings\vgandhi\Application Data\Skype
2008-10-19 11:21 --------- d-----w c:\documents and settings\vgandhi\Application Data\skypePM
2008-10-19 11:18 --------- d-----w c:\program files\Skype
2008-10-19 11:18 --------- d-----w c:\program files\Common Files\Skype
2008-10-19 11:18 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-15 18:47 --------- d-----w c:\documents and settings\vgandhi\Application Data\U3
2004-08-03 16:55 217,405 ----a-w c:\windows\system32\config\systemprofile\WaitTime.EXE
2004-08-03 16:55 217,405 ----a-w c:\documents and settings\CGadmin\WaitTime.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"vidxhp"="c:\documents and settings\vgandhi\Application Data\Google\ggqjh22510678.exe" [2008-12-05 124416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-31 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 c:\windows\system32\Ati2mdxx.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 0 (0x0)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-05-17 10:41 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 22:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 19:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
"vidc.GEOS"= c:\windows\system32\v8200\GEO-MPEG4\2008.1.7.18.9\GeoCodecD.dll
"vidc.GEOV"= c:\windows\system32\v8200\GEO-MPEG4\2008.1.7.18.9\GeoCodec.dll
"vidc.GEOX"= c:\windows\system32\v8200\GEO-MPEG4\2008.1.7.18.9\GeoCodec.dll
"vidc.GM40"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4.dll
"vidc.GMP4"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4.dll
"vidc.GM4H"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4D.dll
"vidc.GM4S"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4D.dll
"vidc.G264"= c:\windows\system32\v8200\GEO-H264\2008.1.7.18.7\GX264.dll
"vidc.G26S"= c:\windows\system32\v8200\GEO-H264\2008.1.7.18.7\GX264D.dll
"vidc.GM20"= c:\windows\system32\v8200\GEO-MPEG2\2008.1.11.20.2\GXGM20.dll
"vidc.GJPG"= c:\windows\system32\v8200\GEO-JPEG\2008.1.24.19.52\GXJPG.dll
"vidc.GAVC"= c:\windows\system32\v8200\GEO-H264-V2\2008.1.18.16.54\GXAVC.dll
"vidc.GAVS"= c:\windows\system32\v8200\GEO-H264-V2\2008.1.18.16.54\GXAVCD.dll
"msacm.geoadpcm"= c:\windows\system32\v8200\GEO-ADPCM\2007.8.13.17.32\GeoADPCM.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1530212641-2372712455-1428225574-43393\Scripts\Logon\0\0]
"Script"=\\amer.globalcsc.net\SysVol\amer.globalcsc.net\Policies\{D73A465F-2C76-4553-99E9-B31D712935B6}\User\Scripts\Logon\cguser.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1530212641-2372712455-1428225574-43393\Scripts\Logon\0\1]
"Script"=\\amer.globalcsc.net\SysVol\amer.globalcsc.net\Policies\{D73A465F-2C76-4553-99E9-B31D712935B6}\User\Scripts\Logon\drive-remap.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Shockprf;Shockprf;c:\windows\system32\DRIVERS\Apsx86.sys [2007-03-02 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\DRIVERS\ApsHM86.sys [2007-03-02 19760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2007-06-27 11520]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2007-06-27 4224]
R2 cscmarimba;cscmarimba;c:\program files\cscmarimba\tuner\Tuner.exe [2007-04-25 36953]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2008-04-09 9817]
R3 IPSECSHM;Nortel IPSECSHM Adapter;c:\windows\system32\DRIVERS\ipsecw2k.sys [2008-04-09 117760]
R4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2005-07-25 229367]
S2 BlackICE;BlackICE;"c:\program files\ISS\issSensors\DesktopProtection\blackd.exe" [2005-07-25 847872]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2008-04-09 117760]
S3 RapFile;RapFile;\??\c:\windows\system32\drivers\RapFile.sys [2005-07-25 36676]
S3 RapNet;RapNet;\??\c:\windows\system32\drivers\RapNet.sys [2005-07-25 24344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0023215b-7144-11dd-9c8b-444553544200}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e8bd362-9ae3-11dd-9c94-444553544200}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91cf65c2-2993-11db-b2f5-0012f0f0644f}]
\Shell\AutoRun\command - E:\autohtml.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wmactedp.inf,PerUserStub
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\npdolctl.dll - O16 -: {5BDBA960-6534-11D3-97C7-00500422B550}
hxxps://amer-ml31.amer.csc.com/download/dolcontrol.cab
c:\windows\Downloaded Program Files\lotusdownloader.inf

c:\windows\Downloaded Program Files\OCXDownloadChecker_8198.ocx - O16 -: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7}
hxxp://216.138.75.38/cab/OCXChecker_8198.cab
c:\windows\Downloaded Program Files\OCXDownloadChecker.inf
FireFox -: Profile - c:\documents and settings\vgandhi\Application Data\Mozilla\Firefox\Profiles\5bpgz38g.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 13:36:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1844)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(1900)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Lotus\Notes\ntmulti.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\cscmarimba\tuner\lib\minituner.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-12-05 13:41:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 18:41:42
ComboFix2.txt 2008-12-05 18:13:51

Pre-Run: 6,318,759,936 bytes free
Post-Run: 6,302,437,376 bytes free

223 --- E O F --- 2008-11-29 17:18:34

Attached Files

ComboFix.txt 14.97KB 313 downloads

#6
Rorschach112

Posted 05 December 2008 - 01:37 PM

Ralphie

Retired Staff
47,710 posts

Hello

Please download the OTMoveIt3 by OldTimer or from here.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0023215b-7144-11dd-9c8b-444553544200}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e8bd362-9ae3-11dd-9c94-444553544200}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91cf65c2-2993-11db-b2f5-0012f0f0644f}]

:Files

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#7
Vishal64

Posted 05 December 2008 - 07:49 PM

New Member

Topic Starter
Member
6 posts

1. OTMoveIt3 log below

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0023215b-7144-11dd-9c8b-444553544200}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e8bd362-9ae3-11dd-9c94-444553544200}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91cf65c2-2993-11db-b2f5-0012f0f0644f}\\ deleted successfully.
========== FILES ==========
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\vgandhi\LOCALS~1\Temp\etilqs_vajQNU1dkwyhWbvSZKgj scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\vgandhi\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6b8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\vgandhi\Local Settings\Application Data\Mozilla\Firefox\Profiles\5bpgz38g.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vgandhi\Local Settings\Application Data\Mozilla\Firefox\Profiles\5bpgz38g.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vgandhi\Local Settings\Application Data\Mozilla\Firefox\Profiles\5bpgz38g.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vgandhi\Local Settings\Application Data\Mozilla\Firefox\Profiles\5bpgz38g.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vgandhi\Local Settings\Application Data\Mozilla\Firefox\Profiles\5bpgz38g.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\vgandhi\Local Settings\Application Data\Mozilla\Firefox\Profiles\5bpgz38g.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12052008_145326

2. Ran ATF Cleaner

3. Ran Malwarebytes' Anti-Malware Log Below

Malwarebytes' Anti-Malware 1.31
Database version: 1464
Windows 5.1.2600 Service Pack 2

2008-12-05 15:33:19
mbam-log-2008-12-05 (15-33-19).txt

Scan type: Quick Scan
Objects scanned: 58270
Time elapsed: 17 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.

4. Kaspersky website online antivirus scan. Log below

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 05, 2008 17:18:49
Records in database: 1438933
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
H:\
P:\

Scan statistics:
Files scanned: 96236
Threat name: 3
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 04:43:34

File name / Threat name / Threats count
C:\HowTo\NT_AUTO_Shutdn.zip Infected: not-a-virus:RiskTool.Win32.PsShutdown.101 1
C:\My Downloads\vnc-3_3_3r9_x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
C:\My Downloads\VNCr9\vnc_x86_win32\vncviewer\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
C:\personal\Mani\Drivestream\HelpDeskSoftware\Ilient\SysAidServerFree.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 3
C:\Tools\VNC\vnc.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
C:\Tools\VNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

The selected area was scanned.

#8
Rorschach112

Posted 06 December 2008 - 01:53 PM

Ralphie

Retired Staff
47,710 posts

Post a new HJT log

#9
Vishal64

Posted 06 December 2008 - 02:14 PM

New Member

Topic Starter
Member
6 posts

After running KASPERSKY ONLINE SCANNER I was still getting the windows firewall pop up "Sinowal Trojan" Security Center Alert Do you want to block this suspicious software with the keep blocking and unblock buttons dehighlighted and Enable protection highlighted.

Last night I ran SPYBOT & AVG scan (11hrs 32mins) which found 5 trojans and procedded to delete them this morning. I then ran combofix again and posting the log below. I am not getting the windows firewall pop up "Sinowal Trojan" anymore but how can I be sure that the problem has been resolved. Also Posting new Hijack this log.

ComboFix 08-12-06.03 - VGandhi 2008-12-06 14:37:57.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1486 [GMT -5:00]
Running from: c:\documents and settings\vgandhi\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 12:44 . 2008-12-06 12:44 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-06 10:13 . 2008-12-06 10:14 <DIR> d-------- c:\documents and settings\vgandhi\Application Data\Antispyware
2008-12-05 22:09 . 2008-12-05 22:09 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-05 22:09 . 2008-12-05 22:09 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-05 22:08 . 2008-12-06 14:50 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-05 22:08 . 2008-12-05 22:08 <DIR> d-------- c:\program files\AVG
2008-12-05 22:08 . 2008-12-05 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-05 21:49 . 2008-12-05 22:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 21:49 . 2008-12-05 22:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 15:14 . 2008-12-05 15:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 15:14 . 2008-12-05 15:14 <DIR> d-------- c:\documents and settings\vgandhi\Application Data\Malwarebytes
2008-12-05 15:14 . 2008-12-05 15:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-05 15:14 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-05 15:14 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-05 14:53 . 2008-12-05 14:53 <DIR> d-------- C:\_OTMoveIt
2008-12-05 14:48 . 2008-12-05 14:48 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-05 14:48 . 2008-12-05 14:48 <DIR> d-------- c:\documents and settings\vgandhi\Application Data\SUPERAntiSpyware.com
2008-12-05 14:48 . 2008-12-05 14:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-05 12:14 . 2008-12-05 12:25 <DIR> d-------- C:\Lop SD
2008-12-05 12:12 . 2008-12-05 12:16 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-05 10:43 . 2008-12-05 10:43 <DIR> d-------- c:\program files\Trend Micro
2008-11-29 20:52 . 2008-12-05 14:46 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 12:54 . 2008-11-29 20:48 <DIR> d-------- c:\documents and settings\vgandhi\Application Data\DivX
2008-11-29 12:52 . 2008-09-19 16:57 129,784 --------- c:\windows\system32\pxafs.dll
2008-11-29 12:52 . 2008-09-19 16:57 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-29 12:52 . 2008-09-19 16:57 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-11-29 12:51 . 2008-11-29 12:52 <DIR> d-------- c:\program files\DivX
2008-11-28 21:38 . 2008-11-28 21:38 0 --a------ c:\windows\nsreg.dat
2008-11-15 16:11 . 2008-11-15 16:11 <DIR> d-------- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 14:34 --------- d-----w c:\documents and settings\vgandhi\Application Data\Juniper Networks
2008-12-05 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2008-11-30 01:53 --------- d-----w c:\program files\Lavasoft
2008-11-29 17:18 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-28 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-13 18:51 --------- d-----w c:\program files\CSC Nortel VPN Client
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 11:46 --------- d-----w c:\documents and settings\vgandhi\Application Data\Skype
2008-10-19 11:21 --------- d-----w c:\documents and settings\vgandhi\Application Data\skypePM
2008-10-19 11:18 --------- d-----w c:\program files\Skype
2008-10-19 11:18 --------- d-----w c:\program files\Common Files\Skype
2008-10-19 11:18 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-15 18:47 --------- d-----w c:\documents and settings\vgandhi\Application Data\U3
2004-08-03 16:55 217,405 ----a-w c:\windows\system32\config\systemprofile\WaitTime.EXE
2004-08-03 16:55 217,405 ----a-w c:\documents and settings\CGadmin\WaitTime.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-12-05_13.12.36.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-05 19:48:40 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-12-05 19:48:40 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-12-06 03:08:58 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2006-12-02 05:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-31 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-05 1261336]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 c:\windows\system32\Ati2mdxx.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 0 (0x0)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-05-17 10:41 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 22:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 19:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
"vidc.GEOS"= c:\windows\system32\v8200\GEO-MPEG4\2008.1.7.18.9\GeoCodecD.dll
"vidc.GEOV"= c:\windows\system32\v8200\GEO-MPEG4\2008.1.7.18.9\GeoCodec.dll
"vidc.GEOX"= c:\windows\system32\v8200\GEO-MPEG4\2008.1.7.18.9\GeoCodec.dll
"vidc.GM40"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4.dll
"vidc.GMP4"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4.dll
"vidc.GM4H"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4D.dll
"vidc.GM4S"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4D.dll
"vidc.G264"= c:\windows\system32\v8200\GEO-H264\2008.1.7.18.7\GX264.dll
"vidc.G26S"= c:\windows\system32\v8200\GEO-H264\2008.1.7.18.7\GX264D.dll
"vidc.GM20"= c:\windows\system32\v8200\GEO-MPEG2\2008.1.11.20.2\GXGM20.dll
"vidc.GJPG"= c:\windows\system32\v8200\GEO-JPEG\2008.1.24.19.52\GXJPG.dll
"vidc.GAVC"= c:\windows\system32\v8200\GEO-H264-V2\2008.1.18.16.54\GXAVC.dll
"vidc.GAVS"= c:\windows\system32\v8200\GEO-H264-V2\2008.1.18.16.54\GXAVCD.dll
"msacm.geoadpcm"= c:\windows\system32\v8200\GEO-ADPCM\2007.8.13.17.32\GeoADPCM.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1530212641-2372712455-1428225574-43393\Scripts\Logon\0\0]
"Script"=\\amer.globalcsc.net\SysVol\amer.globalcsc.net\Policies\{D73A465F-2C76-4553-99E9-B31D712935B6}\User\Scripts\Logon\cguser.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1530212641-2372712455-1428225574-43393\Scripts\Logon\0\1]
"Script"=\\amer.globalcsc.net\SysVol\amer.globalcsc.net\Policies\{D73A465F-2C76-4553-99E9-B31D712935B6}\User\Scripts\Logon\drive-remap.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Shockprf;Shockprf;c:\windows\system32\DRIVERS\Apsx86.sys [2007-03-02 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\DRIVERS\ApsHM86.sys [2007-03-02 19760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2007-06-27 11520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-05 97928]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2007-06-27 4224]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-05 231704]
R2 BlackICE;BlackICE;"c:\program files\ISS\issSensors\DesktopProtection\blackd.exe" [2005-07-25 847872]
R2 cscmarimba;cscmarimba;c:\program files\cscmarimba\tuner\Tuner.exe [2007-04-25 36953]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2008-04-09 9817]
R3 IPSECSHM;Nortel IPSECSHM Adapter;c:\windows\system32\DRIVERS\ipsecw2k.sys [2008-04-09 117760]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
R4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2005-07-25 229367]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2008-04-09 117760]
S3 RapFile;RapFile;\??\c:\windows\system32\drivers\RapFile.sys [2005-07-25 36676]
S3 RapNet;RapNet;\??\c:\windows\system32\drivers\RapNet.sys [2005-07-25 24344]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wmactedp.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\Antispyware Scheduled Scan.job
- c:\program files\Antispyware\Antispyware.exe []

2008-12-06 c:\windows\Tasks\Antispyware Scheduled Scan.job
- c:\program files\Antispyware []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\npdolctl.dll - O16 -: {5BDBA960-6534-11D3-97C7-00500422B550}
hxxps://amer-ml31.amer.csc.com/download/dolcontrol.cab
c:\windows\Downloaded Program Files\lotusdownloader.inf

c:\windows\Downloaded Program Files\OCXDownloadChecker_8198.ocx - O16 -: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7}
hxxp://216.138.75.38/cab/OCXChecker_8198.cab
c:\windows\Downloaded Program Files\OCXDownloadChecker.inf
FireFox -: Profile - c:\documents and settings\vgandhi\Application Data\Mozilla\Firefox\Profiles\5bpgz38g.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 14:51:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1852)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(1908)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Lotus\Notes\ntmulti.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
c:\program files\cscmarimba\tuner\lib\minituner.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\ISS\issSensors\DesktopProtection\blackice.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-12-06 14:59:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 19:58:57
ComboFix2.txt 2008-12-06 18:59:53
ComboFix3.txt 2008-12-05 18:41:47
ComboFix4.txt 2008-12-05 18:13:51

Pre-Run: 5,648,506,880 bytes free
Post-Run: 5,629,120,512 bytes free

269 --- E O F --- 2008-11-29 17:18:34

************ HIJACK THIS LOG ****************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:05, on 2008-12-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\program files\cscmarimba\tuner\Tuner.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\program files\cscmarimba\tuner\lib\minituner.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://portal.csc.com/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://amer-ml31.am...om/iNotes6W.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - https://amer-ml31.am.../dolcontrol.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1182819932390
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://216.138.75.38...hecker_8198.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex....bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://eportal.broo...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.globalcsc.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.globalcsc.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.globalcsc.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: cscmarimba - BMC Software, Inc. - C:\program files\cscmarimba\tuner\Tuner.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

--
End of file - 12900 bytes

#10
Rorschach112

Posted 06 December 2008 - 02:27 PM

Ralphie

Retired Staff
47,710 posts

your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Make sure you have an Internet Connection.
Download OTCleanIt to your desktop and run it
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

*ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

*Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

*ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

* Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

Thank you for your patience, and performing all of the procedures requested.

#11
Vishal64

Posted 07 December 2008 - 10:30 AM

New Member

Topic Starter
Member
6 posts

I followed the instructions provided. Thanks again for all your help and assistance in removing this trojan.

#12
Rorschach112

Posted 07 December 2008 - 10:49 AM

Ralphie

Retired Staff
47,710 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.