Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help...Here is hijackthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help...Here is hijackthis log

Unread postby neech » December 12th, 2007, 5:56 pm

hi i get pop ups frm nav 2007 about hacktool.rootkit and downloader that they were blocked...But they are not removed and usually come up. Also i sumtimes received opo up frm nav sayin system has been blocked from serious attack. I cannot unhide files from folder options too.
i hav installed and run hijackthis. here is its log below.

Logfile of HijackThis v1.99.1
Scan saved at 1:37:26 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vVX6000.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis1991\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19DB0E94-8303-44EF-9AC2-B5F4ACDC45A3}: NameServer = 172.16.77.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
neech
Regular Member
 
Posts: 24
Joined: December 12th, 2007, 5:44 pm
Advertisement
Register to Remove

Re: Please help...Here is hijackthis log

Unread postby gringo_pr » December 13th, 2007, 10:45 pm

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please observe the following while we work:
If you don't know, stop and ask! Don't continue, we don't want to start all over again!
Understand that cleaning your computer can sometimes take multiple passes/posts, and it's important to follow the steps in the order that I give them including re-running scans if needed. If you don't follow the instructions in the order I give them or you try something you read in another post you can reinfect this computer again and we will have to start over.
Please reply to this thread, do not start another.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

If you follow these instructions, everything should go smoothly.

we are currently looking at your log now and will be back as soon as possible with your instructions.

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Please help...Here is hijackthis log

Unread postby neech » December 14th, 2007, 3:23 am

Hi gringo thanks for your help.
Well here below are all the problems i am facing in my computer.
1.Symantec NAV 2007 usually displays THREE(3) pop-ups saying:
a.Autoprotect has blocked hacktool.rootkit as a security risk
b.Autoprotect has blocked downloader as a security risk
c.A recent attack to your computer was blocked.Your computer is now secure
2.However, when i ran full system scan using my nav 2007 it didnt display any kind of threat.But the messages above usually pop-up
3.In the folder option when i set to "View hidden files" it changes back to "Do not show hidden files" automatically and i am not able to view hidden files
4. When i double-click to open my hard-disks(TWO 20GB partition), it displays a small windows to choose "Open file with". Thus i can't access by hard disks through double click.I can only access it by scrolling address bar to the specificed drive.My hard-disk is NTFS
neech
Regular Member
 
Posts: 24
Joined: December 12th, 2007, 5:44 pm

Re: Please help...Here is hijackthis log

Unread postby gringo_pr » December 14th, 2007, 10:25 am

hello neech


Download Flash_Disinfector from here and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.




: Download and Run ComboFix

  • Download this file from either of the two below listed places :

    Here or here

  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall





please send me the the log from combofix
and a new log from hijackthis


Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Please help...Here is hijackthis log

Unread postby neech » December 15th, 2007, 2:22 am

Hi Gringo Thanks for your help.
Here below is the combofix log:

ComboFix 07-12-15.1 - B h a r a t 2007-12-14 22:12:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT -8:00]
Running from: C:\Documents and Settings\B h a r a t\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-14 14:15 . 2004-08-03 10:26 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-14 14:14 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-14 03:01 . 2007-12-14 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-13 12:40 . 2007-12-13 12:48 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-13 10:49 . 2007-12-14 12:26 921,624 --a------ C:\DC6810xp-001.raw
2007-12-13 10:15 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-13 10:14 . 2007-12-13 10:15 <DIR> d-------- C:\Program Files\Java
2007-12-13 08:46 . 2007-12-13 08:46 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-12 13:32 . 2007-12-13 05:56 <DIR> d-------- C:\hijackthis1991
2007-12-12 08:51 . 2007-07-12 15:31 765,952 -----c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-12-12 04:48 . 2007-12-12 04:48 <DIR> d--hs---- C:\INCINERATE
2007-12-12 04:48 . 2007-12-13 23:32 1,136 --a------ C:\WINDOWS\SysMech6.INI
2007-12-12 04:44 . 2007-12-12 04:44 <DIR> d-------- C:\Program Files\iolo
2007-12-12 04:44 . 2006-12-20 17:48 1,212,416 --a------ C:\WINDOWS\system32\Incinerator.dll
2007-12-12 04:44 . 2006-03-28 01:54 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2007-12-12 04:44 . 2005-09-12 13:20 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2007-12-12 04:44 . 2006-03-28 01:54 9,341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2007-12-12 04:44 . 2007-12-12 04:44 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2007-12-12 03:21 . 2007-12-12 03:24 423,736 --a------ C:\avgarkt-setup-1.1.0.42.exe
2007-12-11 12:10 . 2007-12-14 14:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-11 09:56 . 2007-05-29 13:55 22,112 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-11 09:56 . 2007-05-29 13:55 10,592 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-11 09:56 . 2007-05-29 13:55 705 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-11 08:51 . 2007-12-11 08:51 25 --a------ C:\WINDOWS\cdplayer.ini
2007-12-11 08:49 . 2007-12-11 08:49 <DIR> d-------- C:\Program Files\Real
2007-12-11 08:49 . 2007-12-11 08:49 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-11 08:49 . 2007-12-11 08:49 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-11 07:03 . 2007-12-11 07:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-10 22:51 . 2007-03-30 19:58 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-10 11:38 . 2007-12-11 08:53 123,551 -r-hs---- C:\WINDOWS\system32\amvo.exe
2007-12-10 11:38 . 2007-12-13 03:04 45,421 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2007-12-10 10:30 . 2007-12-10 10:30 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-10 07:50 . 2007-12-11 06:28 <DIR> d-------- C:\Program Files\Windows Live
2007-12-10 07:50 . 2007-12-10 10:20 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-10 07:49 . 2007-12-11 06:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-10 06:14 . 2007-12-10 06:16 <DIR> d-------- C:\Program Files\Microsoft LifeCam
2007-12-10 06:08 . 2007-12-10 06:19 <DIR> d-------- C:\Program Files\DAP
2007-12-10 06:08 . 2007-12-14 13:47 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-10 06:08 . 2007-12-10 06:08 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2007-12-10 06:08 . 2007-12-10 06:08 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2007-12-10 06:08 . 2007-12-10 06:08 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-12-10 05:44 . 2007-12-10 05:44 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-10 05:07 . 2005-07-04 16:03 1,650,688 --a------ C:\WINDOWS\system32\qdiagdwc.ocx
2007-12-10 05:07 . 2005-02-09 13:08 7,168 --a------ C:\WINDOWS\system32\DLPT64.sys
2007-12-10 05:07 . 2005-02-08 13:04 5,632 --a------ C:\WINDOWS\system32\GPCIEn64.sys
2007-12-10 05:07 . 2005-02-08 15:46 5,120 --a------ C:\WINDOWS\system32\GTKCMO64.sys
2007-12-10 05:07 . 2005-02-07 19:07 4,608 --a------ C:\WINDOWS\system32\DDMI64.sys
2007-12-10 04:43 . 2007-12-10 04:43 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Gtek
2007-12-10 04:43 . 2006-04-26 14:59 217,185 --a------ C:\WINDOWS\system32\GTDownDE_130.ocx
2007-12-10 04:42 . 2007-12-10 04:42 <DIR> d-------- C:\Program Files\Dell Support
2007-12-10 04:42 . 2007-12-10 04:43 <DIR> d--h----- C:\Documents and Settings\B h a r a t\Application Data\GTek
2007-12-10 04:42 . 2007-12-10 04:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GTek
2007-12-10 04:05 . 2007-12-14 01:45 <DIR> d-------- C:\Documents and Settings\B h a r a t\Contacts
2007-12-10 03:56 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-10 03:56 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-10 03:56 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-10 03:56 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-10 03:44 . 2007-12-10 03:44 <DIR> d-------- C:\Program Files\eLitecore
2007-12-10 03:44 . 2004-01-06 11:12 128,000 --a------ C:\WINDOWS\UnGins.exe
2007-12-10 03:40 . 2007-12-10 03:40 <DIR> d-------- C:\Program Files\Broadcom
2007-12-10 03:40 . 2006-11-21 04:25 45,568 -ra------ C:\WINDOWS\system32\drivers\bcm4sbxp.sys
2007-12-10 02:34 . 2007-12-10 02:34 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-10 02:34 . 2007-12-11 09:36 16 --a------ C:\WINDOWS\system32\coh.cache
2007-12-10 02:27 . 2007-12-11 10:03 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-10 02:26 . 2007-12-11 09:27 <DIR> d-------- C:\Program Files\Symantec
2007-12-10 02:26 . 2007-12-11 09:27 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-10 02:26 . 2007-12-11 09:27 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-10 02:26 . 2007-12-11 09:27 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-10 02:26 . 2007-12-11 09:27 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-10 02:15 . 2007-12-12 10:08 376 --a------ C:\WINDOWS\ODBC.INI
2007-12-10 02:14 . 2007-12-10 02:14 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-12-10 02:13 . 2007-12-10 02:14 <DIR> d-------- C:\WINDOWS\ShellNew
2007-12-10 02:00 . 2001-08-17 12:11 26,568 --a------ C:\WINDOWS\system32\drivers\BCM4E5.SYS
2007-12-10 02:00 . 2001-08-17 12:11 26,568 --a--c--- C:\WINDOWS\system32\dllcache\bcm4e5.sys
2007-12-10 01:57 . 2001-08-17 12:11 54,271 --a------ C:\WINDOWS\system32\drivers\bcm42xx5.sys
2007-12-10 01:57 . 2001-08-17 12:11 54,271 --a--c--- C:\WINDOWS\system32\dllcache\bcm42xx5.sys
2007-12-10 01:55 . 2001-08-17 12:11 96,640 --a------ C:\WINDOWS\system32\drivers\b57xp32.sys
2007-12-10 01:55 . 2001-08-17 12:11 96,640 --a--c--- C:\WINDOWS\system32\dllcache\b57xp32.sys
2007-12-10 01:51 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-10 01:37 . 2007-12-10 01:37 <DIR> d-------- C:\Program Files\DIFX
2007-12-10 01:37 . 2004-09-03 10:00 90,112 --a------ C:\WINDOWS\system32\snymsico.dll
2007-12-10 01:37 . 2006-11-14 19:42 43,520 --a------ C:\WINDOWS\system32\drivers\rimsptsk.sys
2007-12-10 01:37 . 2006-11-14 17:35 37,376 --a------ C:\WINDOWS\system32\drivers\rixdptsk.sys
2007-12-10 01:37 . 2006-11-15 00:16 32,256 --a------ C:\WINDOWS\system32\drivers\rimmptsk.sys
2007-12-10 01:37 . 2005-05-06 19:06 16,480 --a------ C:\WINDOWS\system32\rixdicon.dll
2007-12-10 01:35 . 2006-06-14 14:47 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-12-10 01:35 . 2006-06-14 14:47 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-12-10 01:35 . 2006-06-14 14:20 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-12-10 01:35 . 2006-06-14 14:20 6,272 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2007-12-10 01:34 . 2007-12-10 01:34 <DIR> d-------- C:\Program Files\SigmaTel
2007-12-10 01:34 . 2007-12-10 01:34 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-10 01:31 . 2007-12-10 01:31 5 --a------ C:\WINDOWS\system32\drivers\DELL__.MRK
2007-12-10 01:31 . 2007-12-10 01:31 5 --a------ C:\WINDOWS\system32\drivers\1028_DELL__.MRK
2007-12-10 01:30 . 2007-12-10 01:30 <DIR> d-------- C:\Program Files\Dell
2007-12-10 01:30 . 2007-12-10 01:33 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-10 01:30 . 2007-12-10 01:30 <DIR> d-------- C:\dell
2007-12-10 01:30 . 2005-09-15 21:15 666 --a------ C:\WINDOWS\speed.reg
2007-12-10 01:00 . 2007-12-11 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 11:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-10 08:48 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-10 08:42 --------- d-----w C:\Program Files\Microsoft Games
2007-12-10 08:41 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-10 08:41 --------- d-----w C:\Program Files\Microsoft PowerToys
2007-12-10 08:41 --------- d-----w C:\Program Files\HashTab Shell Extension
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 03:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 03:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 03:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 03:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 03:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 03:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-31 03:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 03:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 03:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 03:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 03:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-18 19:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 10:26]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 21:57]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe" [2006-12-20 17:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 13:19]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 10:29]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 11:41]
"VX6000"="C:\WINDOWS\vVX6000.exe" [2006-06-29 15:55]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 15:54]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-30 20:00]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-30 19:59]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-11 08:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

R0 ENO;ENO;C:\WINDOWS\system32\drivers\ENO.sys
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe"
R3 VX6000;Microsoft LifeCam VX-6000;C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{218994ac-a727-11dc-b66b-0015c51718f5}]
\Shell\AutoRun\command - F:\ntde1ect.com
\Shell\explore\Command - F:\ntde1ect.com
\Shell\open\Command - F:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef87abfe-a974-11dc-b681-0015c51718f5}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-10 10:32:46 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - B h a r a t.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 22:13:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
Completion time: 2007-12-14 22:14:10
.
2007-12-14 22:15:51 --- E O F ---

---------------------------------------------------------------------------------------------------------------------
Here below is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:21:24 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vVX6000.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\B h a r a t\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se4009.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19DB0E94-8303-44EF-9AC2-B5F4ACDC45A3}: NameServer = 172.16.77.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
neech
Regular Member
 
Posts: 24
Joined: December 12th, 2007, 5:44 pm

Re: Please help...Here is hijackthis log

Unread postby neech » December 15th, 2007, 7:17 am

Hi Again. I am now able to open my hard disks through double click and can also set in folder options to "view hidden files". But those THREE pop-ups in NAV 2007 are still there. They are usually popin up. Please help
neech
Regular Member
 
Posts: 24
Joined: December 12th, 2007, 5:44 pm

Re: Please help...Here is hijackthis log

Unread postby gringo_pr » December 17th, 2007, 12:43 pm

hello neech

Your log shows you have Download Accelerator Plus (DAP or dap.exe) installed.
DAP is not technically malware, but it may include malware and allow it into your system. Note that the free version is adware based.
If it is the free, ad-supported version, then I recommend that you switch to [url=http://www.leechget.net/en/] Leechget 2006 Download Manager -
this is adware-free freeware
[/url]. Another free, and spyware free, alternative is Star Downloader.
You can find other Safer Alternatives. Should you choose to remove it, uninstall it through Control Panel=>Add/Remove Programs. Let me know if you decided to remove it or to keep it



: uninstall list

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.



: Run CFScript
Open Notepad and copy/paste the text in the box into the window:

Code: Select all
DirLook:: 
C:\Documents and Settings\B h a r a t\Contacts 
C:\WINDOWS\PIF 

File:: 
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
F:\ntde1ect.com


Registry:: 
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{218994ac-a727-11dc-b66b-0015c51718f5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef87abfe-a974-11dc-b681-0015c51718f5}]



Save it to your desktop as CFScript.txt

make sure you have you removable drive connected also


Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall





send me the new log from combofix
and a new log from hijackthis
pluss the uninstall list from hijack





gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Please help...Here is hijackthis log

Unread postby neech » December 18th, 2007, 3:14 am

hi thanks gringo.
Please note that yesterday someone sent me a pic like file in msn. When I opened it, I could not see it then. It think it loaded in the system and it was a virus like file. I ran full system scan with NAV and found tracking cookie. I fixed that. I will now run the steps you have told me but please note that, the logs may include the virus file i got because i think its still there. Your help to clean my system completely will be greatly appreciated.Thanks in advance
neech
Regular Member
 
Posts: 24
Joined: December 12th, 2007, 5:44 pm

Re: Please help...Here is hijackthis log

Unread postby neech » December 18th, 2007, 10:07 am

Hello Gringo. I have removed DAP and installed leechget.
Here is the Uninstall list:

Adobe Flash Player ActiveX
AppCore
AV
Broadcom 440x 10/100 Integrated Controller
ccCommon
Cyberoam Client for 24Online
Dell Support 3.2.1
HijackThis 1.99.1
Hotfix for Windows Media Player 11 (KB939683)
Intel(R) Graphics Media Accelerator Driver
Internet Worm Protection
Java(TM) 6 Update 3
LeechGet 2007 Version 2.1
LiveUpdate 3.2 (Symantec Corporation)
Microsoft LifeCam
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.3)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
RealPlayer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
SigmaTel Audio
SPBBC 32bit
Symantec
Update for Windows XP (KB933360)
Update for Windows XP (KB942763)
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Vista Freecell Game
Windows Vista Games Main (uninstall last)
Windows Vista Hearts Game
Windows Vista Minesweeper Game
Windows Vista Solitaire Game
Windows Vista Spider Solitaire Game
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB885884
WinRAR archiver
----------------------------------------------------------------------------------------------------------------------

Here is the log from combofix:
ComboFix 07-12-15.1 - B h a r a t 2007-12-18 5:51:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.215 [GMT -8:00]
Running from: C:\Documents and Settings\B h a r a t\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\B h a r a t\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.

2007-12-18 05:31 . 2007-12-18 05:31 <DIR> d-------- C:\Program Files\LeechGet 2007
2007-12-16 04:58 . 2007-12-16 04:58 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-16 01:48 . 2007-12-18 01:08 116 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-16 00:28 . 2007-12-16 00:28 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-12-16 00:28 . 2007-12-16 00:28 <DIR> d-------- C:\Program Files\Ahead
2007-12-16 00:28 . 2004-07-26 17:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-12-16 00:28 . 2004-07-26 17:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-12-16 00:28 . 2004-07-26 17:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-12-16 00:28 . 2004-07-26 17:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-12-16 00:28 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-12-16 00:28 . 2004-03-02 17:37 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-12-16 00:28 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-12-16 00:28 . 2004-03-02 17:37 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-12-14 14:15 . 2004-08-03 10:26 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-14 14:14 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-14 03:01 . 2007-12-14 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-13 12:40 . 2007-12-13 12:48 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-13 10:15 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-13 10:14 . 2007-12-13 10:15 <DIR> d-------- C:\Program Files\Java
2007-12-13 08:46 . 2007-12-13 08:46 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-12 08:51 . 2007-07-12 15:31 765,952 -----c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-12-12 04:48 . 2007-12-12 04:48 <DIR> d--hs---- C:\INCINERATE
2007-12-12 04:44 . 2007-12-14 22:35 <DIR> d-------- C:\Program Files\iolo
2007-12-12 04:44 . 2007-12-12 04:44 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2007-12-11 12:10 . 2007-12-14 14:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-11 09:56 . 2007-05-29 13:55 22,112 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-11 09:56 . 2007-05-29 13:55 10,592 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-11 09:56 . 2007-05-29 13:55 705 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-11 08:51 . 2007-12-11 08:51 25 --a------ C:\WINDOWS\cdplayer.ini
2007-12-11 08:49 . 2007-12-11 08:49 <DIR> d-------- C:\Program Files\Real
2007-12-11 08:49 . 2007-12-11 08:49 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-11 08:49 . 2007-12-11 08:49 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-11 07:03 . 2007-12-11 07:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-10 22:51 . 2007-03-30 19:58 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-10 11:38 . 2007-12-11 08:53 123,551 -r-hs---- C:\WINDOWS\system32\amvo.exe
2007-12-10 11:38 . 2007-12-13 03:04 45,421 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2007-12-10 10:30 . 2007-12-10 10:30 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-10 07:50 . 2007-12-11 06:28 <DIR> d-------- C:\Program Files\Windows Live
2007-12-10 07:50 . 2007-12-10 10:20 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-10 07:49 . 2007-12-11 06:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-10 06:14 . 2007-12-10 06:16 <DIR> d-------- C:\Program Files\Microsoft LifeCam
2007-12-10 06:08 . 2007-12-17 23:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-10 06:08 . 2007-12-10 06:08 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2007-12-10 06:08 . 2007-12-10 06:08 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2007-12-10 06:08 . 2007-12-10 06:08 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-12-10 05:44 . 2007-12-10 05:44 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-10 05:07 . 2005-07-04 16:03 1,650,688 --a------ C:\WINDOWS\system32\qdiagdwc.ocx
2007-12-10 05:07 . 2005-02-09 13:08 7,168 --a------ C:\WINDOWS\system32\DLPT64.sys
2007-12-10 05:07 . 2005-02-08 13:04 5,632 --a------ C:\WINDOWS\system32\GPCIEn64.sys
2007-12-10 05:07 . 2005-02-08 15:46 5,120 --a------ C:\WINDOWS\system32\GTKCMO64.sys
2007-12-10 05:07 . 2005-02-07 19:07 4,608 --a------ C:\WINDOWS\system32\DDMI64.sys
2007-12-10 04:43 . 2007-12-10 04:43 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Gtek
2007-12-10 04:43 . 2006-04-26 14:59 217,185 --a------ C:\WINDOWS\system32\GTDownDE_130.ocx
2007-12-10 04:42 . 2007-12-10 04:42 <DIR> d-------- C:\Program Files\Dell Support
2007-12-10 04:42 . 2007-12-10 04:43 <DIR> d--h----- C:\Documents and Settings\B h a r a t\Application Data\GTek
2007-12-10 04:42 . 2007-12-10 04:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GTek
2007-12-10 04:05 . 2007-12-16 06:56 <DIR> d-------- C:\Documents and Settings\B h a r a t\Contacts
2007-12-10 03:56 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-10 03:56 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-10 03:56 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-10 03:56 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-10 03:44 . 2007-12-10 03:44 <DIR> d-------- C:\Program Files\eLitecore
2007-12-10 03:44 . 2004-01-06 11:12 128,000 --a------ C:\WINDOWS\UnGins.exe
2007-12-10 03:40 . 2007-12-10 03:40 <DIR> d-------- C:\Program Files\Broadcom
2007-12-10 03:40 . 2006-11-21 04:25 45,568 -ra------ C:\WINDOWS\system32\drivers\bcm4sbxp.sys
2007-12-10 02:34 . 2007-12-10 02:34 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-10 02:34 . 2007-12-11 09:36 16 --a------ C:\WINDOWS\system32\coh.cache
2007-12-10 02:27 . 2007-12-11 10:03 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-10 02:26 . 2007-12-11 09:27 <DIR> d-------- C:\Program Files\Symantec
2007-12-10 02:26 . 2007-12-11 09:27 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-10 02:26 . 2007-12-11 09:27 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-10 02:26 . 2007-12-11 09:27 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-10 02:26 . 2007-12-11 09:27 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-10 02:15 . 2007-12-12 10:08 376 --a------ C:\WINDOWS\ODBC.INI
2007-12-10 02:14 . 2007-12-10 02:14 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-12-10 02:13 . 2007-12-10 02:14 <DIR> d-------- C:\WINDOWS\ShellNew
2007-12-10 02:00 . 2001-08-17 12:11 26,568 --a------ C:\WINDOWS\system32\drivers\BCM4E5.SYS
2007-12-10 02:00 . 2001-08-17 12:11 26,568 --a--c--- C:\WINDOWS\system32\dllcache\bcm4e5.sys
2007-12-10 01:57 . 2001-08-17 12:11 54,271 --a------ C:\WINDOWS\system32\drivers\bcm42xx5.sys
2007-12-10 01:57 . 2001-08-17 12:11 54,271 --a--c--- C:\WINDOWS\system32\dllcache\bcm42xx5.sys
2007-12-10 01:55 . 2001-08-17 12:11 96,640 --a------ C:\WINDOWS\system32\drivers\b57xp32.sys
2007-12-10 01:55 . 2001-08-17 12:11 96,640 --a--c--- C:\WINDOWS\system32\dllcache\b57xp32.sys
2007-12-10 01:51 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-10 01:37 . 2007-12-10 01:37 <DIR> d-------- C:\Program Files\DIFX
2007-12-10 01:37 . 2004-09-03 10:00 90,112 --a------ C:\WINDOWS\system32\snymsico.dll
2007-12-10 01:37 . 2006-11-14 19:42 43,520 --a------ C:\WINDOWS\system32\drivers\rimsptsk.sys
2007-12-10 01:37 . 2006-11-14 17:35 37,376 --a------ C:\WINDOWS\system32\drivers\rixdptsk.sys
2007-12-10 01:37 . 2006-11-15 00:16 32,256 --a------ C:\WINDOWS\system32\drivers\rimmptsk.sys
2007-12-10 01:37 . 2005-05-06 19:06 16,480 --a------ C:\WINDOWS\system32\rixdicon.dll
2007-12-10 01:35 . 2006-06-14 14:47 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-12-10 01:35 . 2006-06-14 14:47 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-12-10 01:35 . 2006-06-14 14:20 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-12-10 01:35 . 2006-06-14 14:20 6,272 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2007-12-10 01:34 . 2007-12-10 01:34 <DIR> d-------- C:\Program Files\SigmaTel
2007-12-10 01:34 . 2007-12-10 01:34 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-10 01:31 . 2007-12-10 01:31 5 --a------ C:\WINDOWS\system32\drivers\DELL__.MRK
2007-12-10 01:31 . 2007-12-10 01:31 5 --a------ C:\WINDOWS\system32\drivers\1028_DELL__.MRK
2007-12-10 01:30 . 2007-12-10 01:30 <DIR> d-------- C:\Program Files\Dell
2007-12-10 01:30 . 2007-12-10 01:33 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-10 01:30 . 2007-12-10 01:30 <DIR> d-------- C:\dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 06:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-10 08:48 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-10 08:42 --------- d-----w C:\Program Files\Microsoft Games
2007-12-10 08:41 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-10 08:41 --------- d-----w C:\Program Files\Microsoft PowerToys
2007-12-10 08:41 --------- d-----w C:\Program Files\HashTab Shell Extension
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 03:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 03:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 03:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 03:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 03:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 03:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-31 03:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 03:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 03:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 03:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 03:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-18 19:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\PIF ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 10:26]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 21:57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 10:29]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 11:41]
"VX6000"="C:\WINDOWS\vVX6000.exe" [2006-06-29 15:55]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 15:54]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-30 20:00]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-30 19:59]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-11 08:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

R0 ENO;ENO;C:\WINDOWS\system32\drivers\ENO.sys
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe"
R3 VX6000;Microsoft LifeCam VX-6000;C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys
S2 f0ufzatyeit;Print Spooler Service;C:\WINDOWS\system32\mhjixiocbtxu.exe /service
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-10 10:32:46 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - B h a r a t.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 05:52:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-18 5:52:47
.
2007-12-15 11:06:04 --- E O F ---
----------------------------------------------------------------------------------------------------------------------

Here is the log from hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 5:53:56 AM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vVX6000.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\B h a r a t\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2007\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se4009.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19DB0E94-8303-44EF-9AC2-B5F4ACDC45A3}: NameServer = 172.16.77.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Print Spooler Service (f0ufzatyeit) - Unknown owner - C:\WINDOWS\system32\mhjixiocbtxu.exe (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
----------------------------------------------------------------------------------------------------------------------

PLEASE NOTE THAT: I killed the service mhjixiocbtxu.exe using "killbox" as i got it after clicking the file i got from msn chat which i have mentioned in my previous post.
Thanks
neech
Regular Member
 
Posts: 24
Joined: December 12th, 2007, 5:44 pm

Re: Please help...Here is hijackthis log

Unread postby neech » December 18th, 2007, 11:52 am

Hi. I am still getting the pop-ups from NAV.
I usually get downloader popup and a recent attack to computer was blocked.
I checked further details from NAV of the "recent attack to computer was blocked"
I think this may help you.
Here are the details...
Risk name: HTTP ANI File Anih Hdr Size BO
Risk level: High
Action taken: Block
Attacking computer: union.222360.com(222.216.28.25, 80)
Traffic description: TCP, www-http
neech
Regular Member
 
Posts: 24
Joined: December 12th, 2007, 5:44 pm

Re: Please help...Here is hijackthis log

Unread postby gringo_pr » December 20th, 2007, 6:57 am

hello neech

One or more of the identified infections is a backdoor trojan.


Affected operating systems Windows

Side effects Allows others to access the computer
Steals information
Downloads code from the internet
Installs itself in the Registry




This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post



Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Please help...Here is hijackthis log

Unread postby neech » December 21st, 2007, 6:38 am

Hi gringo.
For your information, I FORMATTED AND REINSTALLED OS BEFORE WRITING TO THIS FORUM AS I THOUGHT IT WILL CLEAN THE TROJAN. HOWEVER IT DIDNT, THATS WHY I CAME TO THIS FORUM...
I FORMATTED SYSTEM'S PARTITION BUT DIDNT FORMAT OTHER DRIVE WHICH I USED TO SAVE MY FILES (such as data,songs, pics , programs setup files etc)....
So wot should i do now, beacause i have already formatted my pc before but it didnt clean the trojan...
neech
Regular Member
 
Posts: 24
Joined: December 12th, 2007, 5:44 pm

Re: Please help...Here is hijackthis log

Unread postby gringo_pr » December 23rd, 2007, 9:15 pm

Hello neech

1st I would like you to uninstall your version of combofix that you have now and install this newer one from one of the links below

we need to have all your removable drives (jump drives, cameras, phones that has been connected ,anything that acts like a drive needs to be connected- this is where you keep getting infected,
we need to clean those at the same time we do the computer


Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

: Download and Install SDFix
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

: Boot into Safe Mode
Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.


: Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum



: Run CFScript
Open Notepad and copy/paste the text in the box into the window:

Code: Select all

File:: 
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\AniGIF.ocx 
C:\WINDOWS\system32\wbocx.ocx
C:\WINDOWS\system32\wbhelp2.dll
C:\WINDOWS\system32\mhjixiocbtxu.exe

Driver:: 
f0ufzatyeit



Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


please only run combofix once and let us see the log ,
when you run it more than once it is hard to tell what is going on

please don't install or download anything untill instructed to do so

please send me the log from sdfix
please send me the log from combo fix
and a new hijackthis log



gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Please help...Here is hijackthis log

Unread postby neech » December 24th, 2007, 5:39 pm

hello gringo

Here is the SDFix log:
SDFix: Version 1.119

Run by B h a r a t on Mon 12/24/2007 at 01:15 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
f0ufzatyeit

Path:
C:\WINDOWS\system32\mhjixiocbtxu.exe /service

f0ufzatyeit - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:



Could Not Remove C:\autorun.inf


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 13:19:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"="C:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe:*:Enabled:24Online Client"
"C:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"="C:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe:*:Enabled:Camfrog Client Module"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------
C:\autorun.inf Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 11 Dec 2007 123,551 ..SHR --- "C:\WINDOWS\system32\amvo.exe"
Mon 24 Dec 2007 45,421 ..SHR --- "C:\WINDOWS\system32\amvo0.dll"
Wed 12 Dec 2007 77,312 ...H. --- "C:\Documents and Settings\B h a r a t\My Documents\~WRL0002.tmp"
Fri 21 Dec 2007 341,796 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\284ed1b6481414bca757a979275d63e5\BIT7F.tmp"
Thu 13 Dec 2007 1,123,880 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9ef9933da35bdbcb8d9cd93868ba3092\BIT100.tmp"
Tue 18 Dec 2007 54,807,786 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ff1abc45bb4b51f55d5dd49be852a17a\BIT1.tmp"
Mon 10 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Mon 10 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Mon 10 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Mon 10 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Mon 10 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Mon 10 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

Finished!
--------------------------------------------------------------------------------------------------------------------

Here is the combofix log:
ComboFix 07-12-24.8 - B h a r a t 2007-12-24 13:26:06.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.212 [GMT -8:00]
Running from: C:\Documents and Settings\B h a r a t\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\B h a r a t\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\AniGIF.ocx
C:\WINDOWS\system32\mhjixiocbtxu.exe
C:\WINDOWS\system32\wbhelp2.dll
C:\WINDOWS\system32\wbocx.ocx
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\AniGIF.ocx
C:\WINDOWS\system32\wbhelp2.dll
C:\WINDOWS\system32\wbocx.ocx

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-24 13:13 . 2007-12-24 13:14 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-23 13:40 . 2007-12-23 13:40 <DIR> d-------- C:\Documents and Settings\B h a r a t\Shared
2007-12-23 13:40 . 2007-12-23 14:17 <DIR> d-------- C:\Documents and Settings\B h a r a t\Incomplete
2007-12-23 13:39 . 2007-12-23 13:39 <DIR> d-------- C:\Program Files\LimeWire
2007-12-23 13:39 . 2007-12-23 14:17 <DIR> d-------- C:\Documents and Settings\B h a r a t\Application Data\LimeWire
2007-12-22 01:48 . 2007-12-22 01:48 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-22 01:46 . 2007-12-22 01:48 <DIR> d-------- C:\Documents and Settings\B h a r a t\Application Data\Nokia
2007-12-22 01:46 . 2007-12-22 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-22 01:45 . 2007-12-22 01:45 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-12-22 01:45 . 2007-12-22 01:45 <DIR> d-------- C:\Program Files\Nokia
2007-12-22 01:45 . 2007-12-22 01:45 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-12-22 01:45 . 2007-12-22 01:45 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-12-22 01:45 . 2007-12-22 08:12 <DIR> d-------- C:\Documents and Settings\B h a r a t\Application Data\PC Suite
2007-12-22 01:45 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-12-22 01:45 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-12-22 01:45 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-12-22 01:45 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-12-22 01:45 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-12-22 01:45 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-12-22 01:44 . 2007-12-22 01:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-12-21 03:25 . 2007-12-21 03:26 <DIR> d-------- C:\TALLYNL
2007-12-20 02:34 . 2007-12-20 02:34 <DIR> d-------- C:\Documents and Settings\B h a r a t\Application Data\Camfrog
2007-12-20 02:32 . 2007-12-20 02:44 <DIR> d-------- C:\Program Files\Camfrog
2007-12-19 14:12 . 2007-12-19 14:12 <DIR> d-------- C:\WINDOWS\Sun
2007-12-19 04:08 . 2007-12-23 16:00 <DIR> d-------- C:\Program Files\WebcamMax
2007-12-19 03:17 . 2007-12-22 03:58 230,424 --a------ C:\DC6810xp-001.raw
2007-12-18 05:31 . 2007-12-18 05:31 <DIR> d-------- C:\Program Files\LeechGet 2007
2007-12-16 04:58 . 2007-12-16 04:58 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-16 01:48 . 2007-12-24 01:44 116 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-16 00:28 . 2007-12-16 00:28 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-12-16 00:28 . 2007-12-16 00:28 <DIR> d-------- C:\Program Files\Ahead
2007-12-16 00:28 . 2004-07-26 17:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-12-16 00:28 . 2004-07-26 17:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-12-16 00:28 . 2004-07-26 17:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-12-16 00:28 . 2004-07-26 17:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-12-16 00:28 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-12-16 00:28 . 2004-03-02 17:37 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-12-16 00:28 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-12-16 00:28 . 2004-03-02 17:37 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-12-14 14:15 . 2004-08-03 10:26 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-14 14:14 . 2006-09-16 03:02 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-14 03:01 . 2007-12-14 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-13 12:40 . 2007-12-13 12:48 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-13 10:15 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-13 10:14 . 2007-12-13 10:15 <DIR> d-------- C:\Program Files\Java
2007-12-13 08:46 . 2007-12-13 08:46 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-12 08:51 . 2007-07-12 15:31 765,952 -----c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-12-12 04:48 . 2007-12-12 04:48 <DIR> d--hs---- C:\INCINERATE
2007-12-12 04:44 . 2007-12-14 22:35 <DIR> d-------- C:\Program Files\iolo
2007-12-12 04:44 . 2007-12-12 04:44 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2007-12-11 12:10 . 2007-12-14 14:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-11 09:56 . 2007-05-29 13:55 22,112 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-11 09:56 . 2007-05-29 13:55 10,592 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-11 09:56 . 2007-05-29 13:55 705 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-11 08:51 . 2007-12-11 08:51 25 --a------ C:\WINDOWS\cdplayer.ini
2007-12-11 08:49 . 2007-12-11 08:49 <DIR> d-------- C:\Program Files\Real
2007-12-11 08:49 . 2007-12-11 08:49 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-11 08:49 . 2007-12-11 08:49 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-11 07:03 . 2007-12-11 07:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-10 22:51 . 2007-03-30 19:58 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-10 10:30 . 2007-12-10 10:30 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-10 07:50 . 2007-12-11 06:28 <DIR> d-------- C:\Program Files\Windows Live
2007-12-10 07:50 . 2007-12-10 10:20 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-10 07:49 . 2007-12-11 06:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-10 06:14 . 2007-12-10 06:16 <DIR> d-------- C:\Program Files\Microsoft LifeCam
2007-12-10 06:08 . 2007-12-17 23:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-10 05:44 . 2007-12-10 05:44 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-10 05:07 . 2005-07-04 16:03 1,650,688 --a------ C:\WINDOWS\system32\qdiagdwc.ocx
2007-12-10 05:07 . 2005-02-09 13:08 7,168 --a------ C:\WINDOWS\system32\DLPT64.sys
2007-12-10 05:07 . 2005-02-08 13:04 5,632 --a------ C:\WINDOWS\system32\GPCIEn64.sys
2007-12-10 05:07 . 2005-02-08 15:46 5,120 --a------ C:\WINDOWS\system32\GTKCMO64.sys
2007-12-10 05:07 . 2005-02-07 19:07 4,608 --a------ C:\WINDOWS\system32\DDMI64.sys
2007-12-10 04:43 . 2007-12-10 04:43 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Gtek
2007-12-10 04:43 . 2006-04-26 14:59 217,185 --a------ C:\WINDOWS\system32\GTDownDE_130.ocx
2007-12-10 04:42 . 2007-12-10 04:42 <DIR> d-------- C:\Program Files\Dell Support
2007-12-10 04:42 . 2007-12-10 04:43 <DIR> d--h----- C:\Documents and Settings\B h a r a t\Application Data\GTek
2007-12-10 04:42 . 2007-12-10 04:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GTek
2007-12-10 04:05 . 2007-12-23 13:52 <DIR> d-------- C:\Documents and Settings\B h a r a t\Contacts
2007-12-10 03:56 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-10 03:56 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-10 03:56 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-10 03:56 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-10 03:44 . 2007-12-10 03:44 <DIR> d-------- C:\Program Files\eLitecore
2007-12-10 03:44 . 2004-01-06 11:12 128,000 --a------ C:\WINDOWS\UnGins.exe
2007-12-10 03:40 . 2007-12-10 03:40 <DIR> d-------- C:\Program Files\Broadcom
2007-12-10 03:40 . 2006-11-21 04:25 45,568 -ra------ C:\WINDOWS\system32\drivers\bcm4sbxp.sys
2007-12-10 02:34 . 2007-12-10 02:34 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-10 02:34 . 2007-12-11 09:36 16 --a------ C:\WINDOWS\system32\coh.cache
2007-12-10 02:27 . 2007-12-11 10:03 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-10 02:26 . 2007-12-11 09:27 <DIR> d-------- C:\Program Files\Symantec
2007-12-10 02:26 . 2007-12-11 09:27 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-10 02:26 . 2007-12-11 09:27 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-10 02:26 . 2007-12-11 09:27 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-10 02:26 . 2007-12-11 09:27 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-10 02:15 . 2007-12-12 10:08 376 --a------ C:\WINDOWS\ODBC.INI
2007-12-10 02:14 . 2007-12-10 02:14 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-12-10 02:13 . 2007-12-10 02:14 <DIR> d-------- C:\WINDOWS\ShellNew
2007-12-10 02:00 . 2001-08-17 12:11 26,568 --a------ C:\WINDOWS\system32\drivers\BCM4E5.SYS
2007-12-10 02:00 . 2001-08-17 12:11 26,568 --a--c--- C:\WINDOWS\system32\dllcache\bcm4e5.sys
2007-12-10 01:57 . 2001-08-17 12:11 54,271 --a------ C:\WINDOWS\system32\drivers\bcm42xx5.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 21:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-10 08:48 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-10 08:42 --------- d-----w C:\Program Files\Microsoft Games
2007-12-10 08:41 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-10 08:41 --------- d-----w C:\Program Files\Microsoft PowerToys
2007-12-10 08:41 --------- d-----w C:\Program Files\HashTab Shell Extension
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 17:20 831,048 ----a-w C:\WINDOWS\system32\WudfUpdate_01005.dll
2007-10-31 03:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 03:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 03:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 03:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 03:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 03:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-31 03:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 03:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 03:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 03:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 03:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-18 19:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 10:26]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 21:57]
"amva"="C:\WINDOWS\system32\amvo.exe" []
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 10:29]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 11:41]
"VX6000"="C:\WINDOWS\vVX6000.exe" [2006-06-29 15:55]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 15:54]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-30 20:00]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-30 19:59]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-11 08:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"WebcamMaxMoniter"="C:\Program Files\WebcamMax\CAMTHINS.exe" [2006-07-20 05:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

R0 ENO;ENO;C:\WINDOWS\system32\drivers\ENO.sys [2003-10-22 12:57]
R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [2006-07-02 22:39]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe" [2006-06-29 15:54]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS [2001-08-17 12:11]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 VX6000;Microsoft LifeCam VX-6000;C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys [2006-06-29 15:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4109f6e7-ae24-11dc-b696-0015c51718f5}]
\Shell\AutoRun\command - F:\n1deiect.com
\Shell\explore\Command - F:\n1deiect.com
\Shell\open\Command - F:\n1deiect.com

.
Contents of the 'Scheduled Tasks' folder
"2007-12-10 10:32:46 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - B h a r a t.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 13:27:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-24 13:27:58
.
2007-12-15 11:06:04 --- E O F ---

----------------------------------------------------------------------------------------------------------------------------------

Here is Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:29:16 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vVX6000.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\WebcamMax\CAMTHINS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\B h a r a t\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\CAMTHINS.exe" /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2007\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se4009.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19DB0E94-8303-44EF-9AC2-B5F4ACDC45A3}: NameServer = 172.16.77.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
neech
Regular Member
 
Posts: 24
Joined: December 12th, 2007, 5:44 pm

Re: Please help...Here is hijackthis log

Unread postby neech » December 25th, 2007, 3:39 am

hi gringo
For your info: The problems are still there after performing the fixes. I connected all my external drives when running scans
neech
Regular Member
 
Posts: 24
Joined: December 12th, 2007, 5:44 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware