Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help me remove malware and spyware.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help me remove malware and spyware.

Unread postby rsshekar » October 26th, 2007, 6:29 am

hi,

Here is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:23 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... x_homepage
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{F5-54-47-75-ZN}] C:\Documents and Settings\vadirajks\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [84cf54da] rundll32.exe "C:\WINDOWS\system32\qthgamsf.dll",b
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O17 - HKLM\Software\..\Telephony: DomainName = bng.cbaysystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\aeegyadh.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Zabbix Win32 Agent (ZabbixAgentdW32) - Unknown owner - C:\Documents and Settings\vadirajks\Desktop\ZabbixW32.exe (file missing)

--
End of file - 6055 bytes

Please Help.

./s
rsshekar
Regular Member
 
Posts: 32
Joined: October 19th, 2007, 3:08 am
Location: Bangalore
Advertisement
Register to Remove

Unread postby beynac » October 26th, 2007, 9:01 am

Good afternoon. :)

I'll be happy to help you sort out your problem. In order to help me with this, please note the following points:
  • If you have any questions or problems - stop and ask
  • It's important that you do not take any independent action to clean the computer (e.g. scans and clean-up programs)
  • Please continue until I give the "all clear". The symptoms may disappear quite quickly, but this doesn't mean that the computer is clean
----------------------------------------------

ComboFix by sUBs

Important: If you already have ComboFix on your computer, please delete it and download the latest version.
  • Download this file - ComboFix.exe. (Please save it on your desktop).
  • Close all open windows.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it will produce a log for you. Please post that log in your next reply
Important: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

If necessary, please split the log into separate posts to ensure that they don't get cut off. It is important that I see the full log.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

--------------------------------------------------

Please post the following as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log
Please also describe what symptoms you are getting.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Help me remove malware and spyware.

Unread postby rsshekar » October 26th, 2007, 10:09 am

Thank you,

Please find the combofix log followed by the latest hijackthis log

ComboFix 07-10-26.4 - Administrator 2007-10-26 19:19:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.156 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\gejopaul\Desktop\internet.lnk
C:\Documents and Settings\vadirajks\Application Data\inst.exe
C:\Documents and Settings\vadirajks\Application Data\YSTEM~1
C:\Documents and Settings\vadirajks\Favorites\Online Security Guide.lnk
C:\Documents and Settings\vadirajks\My Documents\SKS~1
C:\Documents and Settings\vadirajks\My Documents\SKS~1\??sks\
C:\Documents and Settings\vadirajks\My Documents\SKS~1\winlogon.exe
C:\Documents and Settings\vadirajks\Start Menu\Programs\Outerinfo
C:\Documents and Settings\vadirajks\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\vadirajks\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\vadirajks\Start Menu\Programs\Startup\ta_start.lnk
C:\Program Files\Common Files\sembly~1
C:\Program Files\icroso~1.net
C:\Program Files\stem~1
C:\Temp\fCOe
C:\temp\iee
C:\WINDOWS\b138.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\curity~1
C:\WINDOWS\system32\bmcinphh.dllbox
C:\WINDOWS\system32\gdwntqxy.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\pppatc~1\w?auclt.exe
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\pqtss.ini
C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\pqtss.tmp
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\winticomsv.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.

2007-10-26 19:23 76,864 --a------ C:\WINDOWS\system32\qbkmsuvo.dll
2007-10-26 19:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 19:14 83,008 --a------ C:\WINDOWS\system32\dhshtrlf.dll
2007-10-26 15:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-26 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
2007-10-26 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MEGAUPLOADTOOLBAR
2007-10-26 14:22 83,008 --a------ C:\WINDOWS\system32\bkkcgpnq.dll
2007-10-26 08:15 84,544 --a------ C:\WINDOWS\system32\utyvlwkw.dll
2007-10-25 08:12 84,544 --a------ C:\WINDOWS\system32\slvpsoem.dll
2007-10-25 08:02 84,544 --a------ C:\WINDOWS\system32\epadqqcn.dll
2007-10-25 07:33 84,544 --a------ C:\WINDOWS\system32\wfmplcne.dll
2007-10-25 07:32 <DIR> d-------- C:\Documents and Settings\vadirajks\Application Data\Windows Desktop Search
2007-10-24 21:50 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-10-23 06:51 <DIR> d-------- C:\Program Files\MegauploadToolbar
2007-10-23 06:51 <DIR> d-------- C:\Documents and Settings\vadirajks\Application Data\MegauploadToolbar
2007-10-23 05:42 <DIR> d-------- C:\WINDOWS\system32\quicktime
2007-10-23 05:35 <DIR> d-------- C:\Program Files\GustoSoft
2007-10-20 11:43 <DIR> d-------- C:\Documents
2007-10-14 13:30 <DIR> d-------- C:\Program Files\UltraISO
2007-10-08 19:55 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-07 17:53 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-07 17:51 0 --a------ C:\WINDOWS\tsitra77.exe
2007-10-07 09:20 <DIR> d-------- C:\Documents and Settings\muralidharn\Application Data\Media Player Classic
2007-10-06 22:06 <DIR> d-------- C:\vadi-thuderbirdmails

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 14:01 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-26 14:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SolidDocuments
2007-10-26 10:14 --------- d-----w C:\Program Files\Java
2007-10-25 02:40 --------- d-----w C:\Documents and Settings\vadirajks\Application Data\SolidDocuments
2007-10-23 00:07 --------- d-----w C:\Program Files\DivX
2007-10-20 20:25 --------- d-----w C:\Documents and Settings\vadirajks\Application Data\Shareaza
2007-10-11 12:13 --------- d-----w C:\Documents and Settings\vadirajks\Application Data\OpenOffice.org2
2007-10-11 10:28 --------- d-----w C:\Program Files\PuTTY
2007-10-08 14:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SolidDocuments
2007-10-07 05:53 --------- d-----w C:\Documents and Settings\muralidharn\Application Data\OpenOffice.org2
2007-10-07 02:41 --------- d-----w C:\Documents and Settings\muralidharn\Application Data\SolidDocuments
2007-09-12 01:47 --------- d-----w C:\Documents and Settings\vadirajks\Application Data\DivX
2007-09-11 09:41 --------- d-----w C:\Documents and Settings\sureshg\Application Data\SolidDocuments
2007-09-07 21:16 --------- d-----w C:\Program Files\Transcender
2007-09-07 07:17 --------- d-----w C:\Documents and Settings\muralidharn\Application Data\Notepad++
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-06-29 07:27 12,386 ----a-w C:\Documents and Settings\gejopaul\51536359.zip
2007-06-20 08:56 2,531 ----a-w C:\Documents and Settings\gejopaul\70866817.zip
2007-06-20 08:49 4,052 ----a-w C:\Documents and Settings\gejopaul\5696615.zip
2007-05-05 09:49 94,208 ----a-w C:\Documents and Settings\vadirajks\Application Data\ezplay.sys
2007-05-05 09:49 47,360 ----a-w C:\Documents and Settings\vadirajks\Application Data\pcouffin.sys
2007-03-20 17:43 357 -c--a-w C:\Documents and Settings\gejopaul\.cb_layout.bin
2007-02-16 10:32 1,070,545 ----a-w C:\Documents and Settings\vadirajks\Application Data\Mozilla.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2003-09-19 18:04]
"Gene USB Monitor"="C:\WINDOWS\system32\UMonit2K.exe" [2003-09-15 07:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-15 20:43]
"{F5-54-47-75-ZN}"="C:\Documents and Settings\vadirajks\Local Settings\Temp\thinksnet.exe" []
"84cf54da"="C:\WINDOWS\system32\dhshtrlf.dll" [2007-10-26 19:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\Documents and Settings\muralidharn\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bmcinphh]
bmcinphh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2001-11-02 10:50 24636 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvutqrp]
wvutqrp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1163\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1305\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1425\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1443\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1463\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1469\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1473\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1484\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-500\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

S2 ZabbixAgentdW32;Zabbix Win32 Agent;"C:\Documents and Settings\vadirajks\Desktop\ZabbixW32.exe" --config "C:\zabbix_agentd.conf"
S4 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.0.21#common#office2003]
AutoRun\command - Z:\setup.exe

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 19:31:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 19:33:18 - machine was rebooted
.
--- E O F ---

Here is the latest hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 7:35:59 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... x_homepage
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{F5-54-47-75-ZN}] C:\Documents and Settings\vadirajks\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [84cf54da] rundll32.exe "C:\WINDOWS\system32\dhshtrlf.dll",b
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O17 - HKLM\Software\..\Telephony: DomainName = bng.cbaysystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: bmcinphh - bmcinphh.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: wvutqrp - wvutqrp.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: Zabbix Win32 Agent (ZabbixAgentdW32) - Unknown owner - C:\Documents and Settings\vadirajks\Desktop\ZabbixW32.exe" --config "C:\zabbix_agentd.conf (file missing)

./s
rsshekar
Regular Member
 
Posts: 32
Joined: October 19th, 2007, 3:08 am
Location: Bangalore

Unread postby beynac » October 26th, 2007, 10:59 am

Hi.

ComboFix has done a good job getting rid of some of the malware and uncovering some more. :)

You've used the old version of HijackThis this time. Please always use the Trend Micro version in future.

-------------------------------------------------

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)


Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

------------------------------------------------

Open Notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\qbkmsuvo.dll
C:\WINDOWS\system32\dhshtrlf.dll
C:\WINDOWS\system32\bkkcgpnq.dll
C:\WINDOWS\system32\utyvlwkw.dll
C:\WINDOWS\system32\slvpsoem.dll
C:\WINDOWS\system32\epadqqcn.dll
C:\WINDOWS\system32\wfmplcne.dll
C:\WINDOWS\tsitra77.exe
C:\Documents and Settings\vadirajks\Local Settings\Temp\thinksnet.exe
C:\WINDOWS\system32\bmcinphh.dll
C:\WINDOWS\system32\wvutqrp.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{F5-54-47-75-ZN}"=-
"84cf54da"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bmcinphh]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvutqrp]


Save this on your Desktop as CFScript.txt

Image
ComboFix should also be on your Desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall

--------------------------------------------

Please post, as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Help me remove malware and spyware.

Unread postby rsshekar » October 26th, 2007, 2:13 pm

Hi,

Here is the combofix log and the latest hijackthis log

ComboFix 07-10-26.4 - Administrator 2007-10-26 23:20:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.157 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt.txt
* Created a new restore point

FILE::
C:\Documents and Settings\vadirajks\Local Settings\Temp\thinksnet.exe
C:\WINDOWS\system32\bkkcgpnq.dll
C:\WINDOWS\system32\bmcinphh.dll
C:\WINDOWS\system32\dhshtrlf.dll
C:\WINDOWS\system32\epadqqcn.dll
C:\WINDOWS\system32\qbkmsuvo.dll
C:\WINDOWS\system32\slvpsoem.dll
C:\WINDOWS\system32\utyvlwkw.dll
C:\WINDOWS\system32\wfmplcne.dll
C:\WINDOWS\system32\wvutqrp.dll
C:\WINDOWS\tsitra77.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bkkcgpnq.dll
C:\WINDOWS\system32\dhshtrlf.dll
C:\WINDOWS\system32\epadqqcn.dll
C:\WINDOWS\system32\qbkmsuvo.dll
C:\WINDOWS\system32\slvpsoem.dll
C:\WINDOWS\system32\utyvlwkw.dll
C:\WINDOWS\system32\wfmplcne.dll
C:\WINDOWS\tsitra77.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.

2007-10-26 19:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 15:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-26 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
2007-10-26 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MEGAUPLOADTOOLBAR
2007-10-25 07:32 <DIR> d-------- C:\Documents and Settings\vadirajks\Application Data\Windows Desktop Search
2007-10-24 21:50 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-10-23 06:51 <DIR> d-------- C:\Program Files\MegauploadToolbar
2007-10-23 06:51 <DIR> d-------- C:\Documents and Settings\vadirajks\Application Data\MegauploadToolbar
2007-10-23 05:42 <DIR> d-------- C:\WINDOWS\system32\quicktime
2007-10-23 05:35 <DIR> d-------- C:\Program Files\GustoSoft
2007-10-20 11:43 <DIR> d-------- C:\Documents
2007-10-14 13:30 <DIR> d-------- C:\Program Files\UltraISO
2007-10-08 19:55 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-07 17:53 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-07 09:20 <DIR> d-------- C:\Documents and Settings\muralidharn\Application Data\Media Player Classic
2007-10-06 22:06 <DIR> d-------- C:\vadi-thuderbirdmails

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 17:54 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-26 17:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SolidDocuments
2007-10-26 17:08 --------- d-----w C:\Documents and Settings\vadirajks\Application Data\SolidDocuments
2007-10-26 10:14 --------- d-----w C:\Program Files\Java
2007-10-23 00:07 --------- d-----w C:\Program Files\DivX
2007-10-20 20:25 --------- d-----w C:\Documents and Settings\vadirajks\Application Data\Shareaza
2007-10-11 12:13 --------- d-----w C:\Documents and Settings\vadirajks\Application Data\OpenOffice.org2
2007-10-11 10:28 --------- d-----w C:\Program Files\PuTTY
2007-10-08 14:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SolidDocuments
2007-10-07 05:53 --------- d-----w C:\Documents and Settings\muralidharn\Application Data\OpenOffice.org2
2007-10-07 02:41 --------- d-----w C:\Documents and Settings\muralidharn\Application Data\SolidDocuments
2007-09-12 01:47 --------- d-----w C:\Documents and Settings\vadirajks\Application Data\DivX
2007-09-11 09:41 --------- d-----w C:\Documents and Settings\sureshg\Application Data\SolidDocuments
2007-09-07 21:16 --------- d-----w C:\Program Files\Transcender
2007-09-07 07:17 --------- d-----w C:\Documents and Settings\muralidharn\Application Data\Notepad++
2007-06-29 07:27 12,386 ----a-w C:\Documents and Settings\gejopaul\51536359.zip
2007-06-20 08:56 2,531 ----a-w C:\Documents and Settings\gejopaul\70866817.zip
2007-06-20 08:49 4,052 ----a-w C:\Documents and Settings\gejopaul\5696615.zip
2007-05-05 09:49 94,208 ----a-w C:\Documents and Settings\vadirajks\Application Data\ezplay.sys
2007-05-05 09:49 47,360 ----a-w C:\Documents and Settings\vadirajks\Application Data\pcouffin.sys
2007-03-20 17:43 357 -c--a-w C:\Documents and Settings\gejopaul\.cb_layout.bin
2007-02-16 10:32 1,070,545 ----a-w C:\Documents and Settings\vadirajks\Application Data\Mozilla.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2003-09-19 18:04]
"Gene USB Monitor"="C:\WINDOWS\system32\UMonit2K.exe" [2003-09-15 07:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-15 20:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\Documents and Settings\muralidharn\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2001-11-02 10:50 24636 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1163\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1305\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1425\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1443\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1463\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1469\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1473\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-1484\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1218989756-668324634-2183318644-500\Scripts\Logon\0\0]
"Script"=\\sus\Common\ocs-ng\startup.bat

S2 ZabbixAgentdW32;Zabbix Win32 Agent;"C:\Documents and Settings\vadirajks\Desktop\ZabbixW32.exe" --config "C:\zabbix_agentd.conf"
S4 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.0.21#common#office2003]
AutoRun\command - Z:\setup.exe

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 23:26:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-26 23:29:24 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-26 19:33
.
--- E O F ---


The latest hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:50 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... x_homepage
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O17 - HKLM\Software\..\Telephony: DomainName = bng.cbaysystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Zabbix Win32 Agent (ZabbixAgentdW32) - Unknown owner - C:\Documents and Settings\vadirajks\Desktop\ZabbixW32.exe (file missing)

--
End of file - 5829 bytes


./s
rsshekar
Regular Member
 
Posts: 32
Joined: October 19th, 2007, 3:08 am
Location: Bangalore

Unread postby beynac » October 26th, 2007, 4:51 pm

That looks a lot better! :)

It looks as if we've done it, but I'd like you to run an online scan to make sure that we've got everything.

----------------------------------------------------

Kaspersky Online Scanner

Be aware that downloading the definition files and scanning the computer may take an hour or more.

Using Internet Explorer, go to: http://www.kaspersky.com/virusscanner
  • Click on Kaspersky Online Scanner
  • Click the Accept button (see the note below if using IE7)
  • Follow the prompts to download and install the ActiveX component(s) and other software
    • If a yellow information bar appears at the top of the browser window, click on it and select Install ActiveX Control
    • If a message box appears, click on OK or Run as appropriate
  • Click Accept again (see the note below if using IE7)
  • When a message box appears, click on Install to allow the installation
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click 'Next'.
  • Now click on 'Scan Settings'
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
    • Scan Options: 'Scan Archives' and 'Scan Mail Bases'
  • Click 'OK'
  • Now under 'Select a target to scan' select 'My Computer'
  • The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
  • Now click on the Save as... button:
  • Save the report to your desktop (N.B. Save as type: Text document (txt))
Note: You may get a window without the Accept/Decline buttons. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

------------------------------------------------

Please post the following as a reply to this thread:
  • The Kaspersky report
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Help me remove malware and spyware.

Unread postby rsshekar » October 27th, 2007, 4:15 am

Hi,

Posting the Kaspersky online scan report and the latest hijackthis report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 27, 2007 1:28:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/10/2007
Kaspersky Anti-Virus database records: 446923
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 90307
Number of viruses found: 7
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 02:53:41

Infected Object Name / Virus Name / Last Action
C:\791af4fd96069f2f4e3e\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Logs\OTFSMonLog.txt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_bd1d3171-43bb-4051-8580-d4f5021f4b15 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.4.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.4.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy7.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_4ec.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02F40000.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02F40001.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\gejopaul\Application Data\Thunderbird\Profiles\ev6picng.default\Mail\Local Folders\Outlook Mail.sbd\Personal Folders.sbd\Inbox/[From "'NOC'" <noc@lists.cbaysystems.com>][Date Thu, 5 Oct 2006 19:04:20 +0530]/PsKill.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\gejopaul\Application Data\Thunderbird\Profiles\ev6picng.default\Mail\Local Folders\Outlook Mail.sbd\Personal Folders.sbd\Inbox/[From "'NOC'" <noc@lists.cbaysystems.com>][Date Thu, 5 Oct 2006 19:04:20 +0530]/PsKill.zip Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\gejopaul\Application Data\Thunderbird\Profiles\ev6picng.default\Mail\Local Folders\Outlook Mail.sbd\Personal Folders.sbd\Inbox Mail Berkeley mbox: infected - 2 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0668NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0710NAV~.TMP Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\d1\800004E8/VncViewer.class Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\CSC\d1\800004E8 ZIP: infected - 1 skipped
C:\WINDOWS\CSC\d1\80000680/packed/vnc_unixsrc/vncserver.init Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\CSC\d1\80000680/packed/vnc_unixsrc/classes/VncViewer.class Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\CSC\d1\80000680/packed/vnc_unixsrc/classes/VncViewer.jar/VncViewer.class Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\CSC\d1\80000680/packed/vnc_unixsrc/classes/VncViewer.jar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\CSC\d1\80000680/packed Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\CSC\d1\80000680 GZIP: infected - 5 skipped
C:\WINDOWS\CSC\d1\800008D8/data0004 Infected: not-a-virus:RiskTool.Win32.FWDisabler.a skipped
C:\WINDOWS\CSC\d1\800008D8 NSIS: infected - 1 skipped
C:\WINDOWS\CSC\d2\80000679/packed/classes/VncViewer.class Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\CSC\d2\80000679/packed/classes/VncViewer.jar/VncViewer.class Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\CSC\d2\80000679/packed/classes/VncViewer.jar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\CSC\d2\80000679/packed Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\CSC\d2\80000679 GZIP: infected - 4 skipped
C:\WINDOWS\CSC\d4\800008D3/Torpark 2.0.0.2a/App/Tconfig.exe/data0004 Infected: not-a-virus:RiskTool.Win32.FWDisabler.a skipped
C:\WINDOWS\CSC\d4\800008D3/Torpark 2.0.0.2a/App/Tconfig.exe Infected: not-a-virus:RiskTool.Win32.FWDisabler.a skipped
C:\WINDOWS\CSC\d4\800008D3 7-Zip: infected - 2 skipped
C:\WINDOWS\CSC\d7\80001336/data0004 Infected: not-a-virus:RiskTool.Win32.FWDisabler.a skipped
C:\WINDOWS\CSC\d7\80001336 NSIS: infected - 1 skipped
C:\WINDOWS\CSC\d7\80001506/Torpark 2.0.0.3a/App/Tconfig.exe/data0004 Infected: not-a-virus:RiskTool.Win32.FWDisabler.a skipped
C:\WINDOWS\CSC\d7\80001506/Torpark 2.0.0.3a/App/Tconfig.exe Infected: not-a-virus:RiskTool.Win32.FWDisabler.a skipped
C:\WINDOWS\CSC\d7\80001506 7-Zip: infected - 2 skipped
C:\WINDOWS\CSC\d8\800004E7 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{006FBC5B-F42E-47AA-A0A3-6B8815189A90}\RP264\change.log Object is locked skipped

Scan process completed.


Here is the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:11 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O17 - HKLM\Software\..\Telephony: DomainName = bng.cbaysystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bng.cbaysystems.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Zabbix Win32 Agent (ZabbixAgentdW32) - Unknown owner - C:\Documents and Settings\vadirajks\Desktop\ZabbixW32.exe (file missing)

--
End of file - 5587 bytes

Thanks,
./s
rsshekar
Regular Member
 
Posts: 32
Joined: October 19th, 2007, 3:08 am
Location: Bangalore

Unread postby beynac » October 27th, 2007, 6:54 am

Most of the items picked up by Kaspersky relate to VNC Server Version 4 and some so-called "Risk Tools" which seem to relate to cbaysystems.com. Everything is now Ok, provided that you are happy with both of these. If not, please let me know and don't proceed with the next steps.

--------------------------------------------------

You can delete ComboFix and the folder C:\qoobox\

Flush System Restore

We need to 'flush' your System Restore points and create a new clean one.

Turn OFF System Restore.
  • Click on Start
  • Right-click My Computer
  • Click Properties
  • Click the System Restore tab
  • Check Turn off System Restore
  • Click Apply, and then click OK
Restart your computer

Turn ON System Restore.
  • Click on Start
  • Right-click My Computer
  • Click Properties
  • Click the System Restore tab
  • Uncheck Turn off System Restore
  • Click Apply, and then click OK
-----------------------------------------

If you do not already use it, I suggest that you install SpywareBlaster. This program will:
  • Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
This program blocks these items but does not run in the background. It therefore does not use any resources.

I would also recommend that you have a look at Firetrust SiteHound. This gives warnings when you are about to enter a website that is on their 'block' list. An alternative is McAfee SiteAdvisor. I use SiteHound, but both have a good reputation (N.B. use only one of them, not both).

This article, How to prevent Malware by miekiemoes, gives some very good advice.

Please let me know whether you have any questions.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Help me remove malware and spyware.

Unread postby rsshekar » October 27th, 2007, 10:26 am

Hi,

I would like both to be removed...please advise.

Thanks,
./s
rsshekar
Regular Member
 
Posts: 32
Joined: October 19th, 2007, 3:08 am
Location: Bangalore

Unread postby beynac » October 27th, 2007, 10:46 am

We need to uninstall the VNC server program. I therefore need to see a list of the programs installed on the computer, so that I can advise you which to uninstall.

Please open HijackThis
  • Click on the Open the Misc Tools section button
  • Click on Open Uninstall Manager...
  • Click on Save List... (towards the bottom right)
  • Save the text file to a convenient location
Open the text file and post the contents as a reply to this thread.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Help me remove malware and spyware.

Unread postby rsshekar » October 27th, 2007, 11:19 pm

Hi,

Here is th uninstall log....

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
Adobe Reader Chinese Simplified Fonts
AVG 7.5
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
Citrix ICA Client
Dell ResourceCD
Error Repair
Error Repair Professional 3.6
FinePrint
Generic USB Mass Storage Driver
Google Talk (remove only)
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Kaspersky Online Scanner
LeechFTP
LiveAdvisor (Symantec Corporation)
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
ML-2150 Series
ML-2150 Series PS
Mozilla Firefox (2.0.0.8)
Mozilla Thunderbird (2.0.0.6)
MSXML 6.0 Parser (KB933579)
OpenOffice.org 2.1
Pandion
Pdf995
PuTTY development snapshot 2007-02-15:r7287
QuickTime Alternative 1.81
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Skype Plugin Manager
SolidConverterPDF
SoundMAX
Symantec pcAnywhere
Update for Microsoft .NET Framework 3.0 (KB932394)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908521)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB916846)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Vim 7.0 (self-installing)
VNC Free Edition 4.1.2
Windows Communication Foundation
Windows Desktop Search 3.01
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Yahoo! Messenger

Thanks,
./s
rsshekar
Regular Member
 
Posts: 32
Joined: October 19th, 2007, 3:08 am
Location: Bangalore

Unread postby beynac » October 29th, 2007, 7:37 am

To get rid of VNC, go to Start -> Control Panel -> Add or Remove Programs and uninstall VNC Free Edition 4.1.2.

Click on Start then My Computer, find the following folder (highlighted in red).

C:\Program Files\RealVNC\ < delete the folder

The other 'risk tools' are in sub-folders of C:\WINDOWS\CSC\. The sub-folders are named d1, d2, d4, d7 and d8. Could you please have a look in this folder and the sub-folders to see if you want to keep anything. If not, delete the folder or sub-folder, as appropriate. If there are things in the folders that you wish to keep, let me know and I will list out the items you need to delete.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby Gary R » November 5th, 2007, 12:52 pm

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 383 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware