Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

worm.win32


  • Please log in to reply

#1
good_hope2

good_hope2

    New Member

  • Member
  • Pip
  • 2 posts
CatByte these are the logs requested. I have rerun and posted the diagnostic log. Secondly, I have attached the other product of this scan (Attach) and also the text files logging the Root Repeal and Remover processes.

The original post can be found at:
http://www.geekstogo...46#entry1738046

The diagnostic log was a DDS, I have rerun it and here are the results.

Here I have posted one of two resulting text files that I acquired (DDS.txt) and I have attached the second as a zip file (Attach.zip).

1) DDS


DDS (Ver_10-03-17.01) - NTFSx86
Run by wisudha at 12:48:38.96 on 09/07/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2038.1207 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\wisudha\Desktop\Geeks to Go\dds.com

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: System=ziswin.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Athens Toolbar: {2e560504-b9c8-48aa-982a-08b79c3fd40e} - c:\program files\eduserv technologies limited\athens toolbar\AthensToolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [yutvjtsa] c:\documents and settings\wisudha\local settings\application data\bwkgue\vvyhsysguard.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [UniPrint] c:\program files\uniprint\client\\SetDfltSettings.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware se professional\ad-watch.exe +prefs:"c:\documents and settings\%username%\application data\lavasoft\ad-aware\awsettings.awc"
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Advanced DHTML Enable] C:\Program.exe
mRun: [yutvjtsa] c:\documents and settings\wisudha\local settings\application data\bwkgue\vvyhsysguard.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRunOnce: [<NO NAME>]
StartupFolder: c:\docume~1\wisudha\startm~1\programs\startup\xlmon.lnk - c:\program files\hydra online client\XLMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183998401656
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.timevision.com/codebase60/OrgPubX.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ccl.webex.com/client/T25L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {7A0D3C14-63F9-445E-B31B-E37E9BC746E5} = 161.74.92.5,161.74.92.10
TCP: {E7961FCD-C7DD-4BDC-94E7-D8B85DDFA3FF} = 161.74.92.5,161.74.92.10
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwv1_0
mASetup: {28ABC5C0-4FCB-11CF-AAX5-81CX1C635612} - c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\win32.exe
Hosts: 192.168.1.70 HP001A4B9B28C3

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wisudha\applic~1\mozilla\firefox\profiles\vofy6mg2.default\
FF - prefs.js: browser.startup.homepage - www.wmin.ac.uk
FF - prefs.js: network.proxy.type - 2

============= SERVICES / DRIVERS ===============

R?2 Remote Management Agent;Novell ZfD Remote Management;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2003-10-22 135168]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2003-3-18 4768]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 Kblock;Kblock;c:\windows\system32\drivers\kblock.sys [2003-3-18 4043]
R2 Mouslock;Mouslock;c:\windows\system32\drivers\mouslock.sys [2003-3-18 4080]
R2 Prometheus Wake-On-LAN Status Agent;Novell ZfD Wake on LAN Status Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\WolSerNT.exe [2003-3-18 49152]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2007-7-10 49152]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2007-7-10 9176]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2003-3-18 2773]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-6 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091231.017\naveng.sys [2010-1-2 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091231.017\navex15.sys [2010-1-2 1323568]
R3 nscmnt;Novell Local Security Context Manager;c:\windows\system32\drivers\novell\nscmnt.sys [2004-3-3 25616]
R3 xauthnt;Novell XTier Authentication Service;c:\windows\system32\drivers\novell\xauthnt.sys [2004-3-24 11640]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-5 135664]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-11-5 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-3 7680]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2010-07-09 11:48:38 0 d-----w- c:\temp\65.tmp
2010-07-09 11:45:54 0 d-----w- c:\temp\WPDNSE
2010-07-08 08:55:11 0 d-----w- c:\temp\peazip-tmp
2010-07-08 08:55:11 0 d-----w- c:\docume~1\wisudha\applic~1\PeaZip
2010-07-08 08:54:51 0 d-----w- c:\program files\PeaZip

==================== Find3M ====================

2010-07-09 11:48:43 860672 ----a-w- c:\windows\system32\drivers\nczpz.sys

============= FINISH: 12:49:10.06 ===============

Attached Files


  • 0

Advertisements


#2
CatByte

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,704 posts
  • MVP
Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

  • 0

#3
good_hope2

good_hope2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Dear CatByte

Here are the results of the combofix file.

Kind Regards
good_hope2

ComboFix 10-07-08.02 - wisudha 10/07/2010 3:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2038.1153 [GMT 1:00]
Running from: c:\documents and settings\wisudha\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\wisudha\Local Settings\Application Data\bwkgue\vvyhsysguard.exe
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
C:\s
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\29358.exe
c:\windows\system32\6334.exe
c:\windows\system32\AVR10.exe
c:\windows\system32\drivers\nczpz.sys
c:\windows\system32\kbdsock.dll
c:\windows\system32\UNWISE.EXE
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_nczpz
-------\Service_nczpz


((((((((((((((((((((((((( Files Created from 2010-06-10 to 2010-07-10 )))))))))))))))))))))))))))))))
.

2010-07-10 02:11 . 2010-07-10 02:11 53248 ----a-w- c:\temp\catchme.dll
2010-07-10 02:11 . 2010-07-10 02:11 -------- d-----w- c:\temp\WPDNSE
2010-07-08 08:55 . 2010-07-08 08:55 -------- d-----w- c:\temp\peazip-tmp
2010-07-08 08:55 . 2010-07-08 08:55 -------- d-----w- c:\documents and settings\wisudha\Application Data\PeaZip
2010-07-08 08:54 . 2010-07-08 08:54 -------- d-----w- c:\program files\PeaZip
2010-07-05 08:12 . 2010-07-05 08:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-10 02:09 . 2007-07-30 15:12 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-10 02:07 . 2009-11-11 00:22 627856 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-07 00:26 . 2009-10-06 23:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-05 08:07 . 2008-06-11 12:23 -------- d-----w- c:\program files\Google
2007-08-01 11:15 . 2007-07-09 14:47 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-08-01 11:15 . 2007-07-09 14:47 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-08-01 11:15 . 2007-07-17 16:00 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-08-01 11:15 . 2007-07-17 16:00 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-08-01 11:15 . 2007-07-09 14:47 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-02-29 13:35 . 2008-02-29 13:35 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-02-29 13:35 . 2008-02-29 13:35 107928 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-06-21 17:38 . 2007-06-21 17:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 17:38 . 2007-06-21 17:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 17:38 . 2007-06-21 17:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 17:38 . 2007-06-21 17:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 17:39 . 2007-06-21 17:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 17:39 . 2007-06-21 17:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 17:39 . 2007-06-21 17:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 17:39 . 2007-06-21 17:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 17:40 . 2007-06-21 17:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-18 39408]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2009-12-03 3118344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"UniPrint"="c:\program files\UniPrint\Client\\SetDfltSettings.exe" [2004-05-11 94208]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2003-03-18 40960]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-24 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-23 319488]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-11 505368]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-11 780312]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\wisudha\Start Menu\Programs\Startup\
XLMon.lnk - c:\program files\Hydra Online Client\XLMon.exe [2007-7-9 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novell\\ZENworks\\Asset Management\\bin\\cclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1761:TCP"= 1761:TCP:Zen-1761-TCP
"1761:UDP"= 1761:UDP:Zen-1761-UDP
"1762:TCP"= 1762:TCP:Zen-1762-TCP
"1762:UDP"= 1762:UDP:Zen-1762-UDP
"517:TCP"= 517:TCP:Zen-517-TCP
"517:UDP"= 517:UDP:Zen-517-UDP
"1763:TCP"= 1763:TCP:Zen-1763-TCP
"1763:UDP"= 1763:UDP:Zen-1763-UDP
"21:TCP"= 21:TCP:Zen-21-TCP
"21:UDP"= 21:UDP:Zen-21-UDP
"6000:TCP"= 6000:TCP:exceed-6000-tcp
"6000:UDP"= 6000:UDP:exceed-6000-udp
"7460:TCP"= 7460:TCP:ZAMClient7460

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [18/03/2003 18:26 4768]
R2 Kblock;Kblock;c:\windows\system32\drivers\kblock.sys [18/03/2003 15:16 4043]
R2 Mouslock;Mouslock;c:\windows\system32\drivers\mouslock.sys [18/03/2003 15:16 4080]
R2 Prometheus Wake-On-LAN Status Agent;Novell ZfD Wake on LAN Status Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe [18/03/2003 14:40 49152]
R2 Remote Management Agent;Novell ZfD Remote Management;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [22/10/2003 15:55 135168]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [10/07/2007 15:43 49152]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [10/07/2007 15:43 9176]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [18/03/2003 15:14 2773]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [06/10/2009 21:16 102448]
R3 nscmnt;Novell Local Security Context Manager;c:\windows\system32\drivers\Novell\nscmnt.sys [03/03/2004 12:51 25616]
R3 xauthnt;Novell XTier Authentication Service;c:\windows\system32\drivers\Novell\xauthnt.sys [24/03/2004 11:01 11640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2010 09:07 135664]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [05/11/2009 18:39 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [03/11/2008 18:29 7680]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [27/09/2006 20:33 116464]
.
Contents of the 'Scheduled Tasks' folder

2010-07-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 17:39]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-05 08:07]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-05 08:07]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {7A0D3C14-63F9-445E-B31B-E37E9BC746E5} = 161.74.92.5,161.74.92.10
TCP: {E7961FCD-C7DD-4BDC-94E7-D8B85DDFA3FF} = 161.74.92.5,161.74.92.10
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.timevision.com/codebase60/OrgPubX.cab
FF - ProfilePath - c:\documents and settings\wisudha\Application Data\Mozilla\Firefox\Profiles\vofy6mg2.default\
FF - prefs.js: browser.startup.homepage - www.wmin.ac.uk
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-yutvjtsa - c:\documents and settings\wisudha\Local Settings\Application Data\bwkgue\vvyhsysguard.exe
HKLM-Run-Ad-Watch - c:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
HKLM-Run-yutvjtsa - c:\documents and settings\wisudha\Local Settings\Application Data\bwkgue\vvyhsysguard.exe
ActiveSetup-{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612} - c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe
AddRemove-HASP Device Drivers - c:\windows\system32\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-10 03:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\Novell\ZENworks\ZENLITE.DLL
c:\windows\system32\xmlparse.dll
c:\program files\Novell\ZENworks\ZENNW32.DLL

- - - - - - - > 'Explorer.exe'(9292)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Novell\ZENworks\nalntsrv.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Novell\ZENworks\Asset Management\bin\CClient.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Novell\ZENworks\wm.exe
c:\program files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
c:\windows\system32\msiexec.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\NWTRAY.EXE
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-07-10 03:17:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-10 02:17

Pre-Run: 28,467,216,384 bytes free
Post-Run: 28,521,754,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 6A50C57530DB7828A1E4DE3B6484D5A4

Attached Files

  • Attached File  log.txt   16.82KB   55 downloads

  • 0

#4
CatByte

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,704 posts
  • MVP
Hi

Please do the following:



Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT



Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP