Command Service - Free Antivirus Forum

Command Service

BullGuard Antivirus Forum > Virus Removal > Removal Help > Command Service

Forum Quick Jump

29 posts in this thread.
Viewing Page : 1 2

[ << Previous Thread | Next Thread >> ]

yogendra
New Member

Date Joined Nov 2008
Total Posts : 22

Posted 11-21-2008 9:11 (GMT +1)

Hi,

I keep getting IE pop-us even though I am not using it. I used spybot S&D only to find that command service is causing this problem. Spybot is not able to fix it after repeated starts. my system has become slow. kindly help me.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-22-2008 6:22 (GMT +1)

Hello

Download this program: http://www.ctrlaltdel.dk/Fix_download.exe

and save it on the desktop. Then double click on it (Fix_download.exe).

You may have to allow the program to download files from the web!

The program download the necessary cleaning programs. Once the program
is downloaded, there will be a folder on your desktop named
Fix. – if the instructions not automatically opens, so
double-click "FIX_manual.htm" in Fix folder.

Please follow the instructions and copy the logs here, in this Topic.

Note : Fix_download.exe is detected by some antivirus programs as a "RiskTool" /infection; it is not a virus. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

If necessary, temporarily disable your anti-virus, real-time protection before downloading

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

yogendra
New Member

Date Joined Nov 2008
Total Posts : 22

Posted 11-30-2008 9:23 (GMT +1)

Hi I am sorry about the delay.
i am using a xp system. i had limewire which i uninstalled, before running the tests.
the first 2 tests did not stop the pop-ups so i ran the other 2 too. my machine has become very very slow. here are the logs

mbam logs

Malwarebytes' Anti-Malware 1.30
Database version: 1436
Windows 5.1.2600 Service Pack 2

11/30/2008 2:06:37 AM
mbam-log-2008-11-30 (02-06-32).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 177013
Time elapsed: 7 hour(s), 23 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kefuguhi.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\hazikubu.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2546bda7-fae6-4beb-ba23-e8ac54def486} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2546bda7-fae6-4beb-ba23-e8ac54def486} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20341322 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm230720be (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mateyupona (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\hazikubu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\hazikubu.dll -> No action taken.

Folders Infected:
C:\WINDOWS\system32\x4 (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\yogendra\Application Data\NI.GSCNS (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\kefuguhi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ihugufek.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wehebopa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\apobehew.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wuzakoba.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\abokazuw.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\!!!ulale.dll (Trojan.BHO.H) -> No action taken.
c:\WINDOWS\system32\hazikubu.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{54285A53-C6CC-4F9B-A534-F355C1A8D3D7}\RP140\A0069650.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{54285A53-C6CC-4F9B-A534-F355C1A8D3D7}\RP140\A0069705.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gafuhelu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mp\kstamv3.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\yogendra\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> No action taken.
C:\Documents and Settings\yogendra\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\howiduga.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\jupayobu.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Downloaded Program Files\atmccli.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\jafiyuji.dll (Trojan.Vundo) -> No action taken.

Malwarebytes' Anti-Malware 1.30
Database version: 1436
Windows 5.1.2600 Service Pack 2

11/30/2008 2:08:29 AM
mbam-log-2008-11-30 (02-08-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 177013
Time elapsed: 7 hour(s), 23 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kefuguhi.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\hazikubu.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2546bda7-fae6-4beb-ba23-e8ac54def486} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2546bda7-fae6-4beb-ba23-e8ac54def486} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20341322 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm230720be (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mateyupona (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\hazikubu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\hazikubu.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\x4 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\yogendra\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kefuguhi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihugufek.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wehebopa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\apobehew.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wuzakoba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\abokazuw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\!!!ulale.dll (Trojan.BHO.H) -> Delete on reboot.
c:\WINDOWS\system32\hazikubu.dll (Trojan.BHO) -> Delete on reboot.
C:\System Volume Information\_restore{54285A53-C6CC-4F9B-A534-F355C1A8D3D7}\RP140\A0069650.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54285A53-C6CC-4F9B-A534-F355C1A8D3D7}\RP140\A0069705.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gafuhelu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mp\kstamv3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\yogendra\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\yogendra\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\howiduga.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\jupayobu.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Downloaded Program Files\atmccli.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jafiyuji.dll (Trojan.Vundo) -> Delete on reboot.

ComboFix 08-11-30.01 - yogendra 2008-11-30 13:21:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1030 [GMT -6:00]
Running from: c:\documents and settings\yogendra\Desktop\FIX\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\yogendra\Application Data\inst.exe
c:\temp\tn3
c:\windows\system32\a3
c:\windows\system32\a3\FTcapi43.exe
c:\windows\system32\bawisayo.dll
c:\windows\system32\Cache
c:\windows\system32\dobafigi.dll
c:\windows\system32\ebumefok.ini
c:\windows\system32\gotizihu.dll
c:\windows\system32\ijuyifaj.ini
c:\windows\system32\olihodaz.ini
c:\windows\system32\oyasiwab.ini
c:\windows\system32\tobajuho.dll
c:\windows\system32\uvibitod.ini

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-29 18:41 . 2008-11-30 02:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-29 18:41 . 2008-11-29 18:41 <DIR> d-------- c:\documents and settings\yogendra\Application Data\Malwarebytes
2008-11-29 18:41 . 2008-11-29 18:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-29 18:41 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 18:41 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-29 18:23 . 2008-11-29 18:23 <DIR> d-------- c:\program files\CCleaner
2008-11-29 12:41 . 2008-11-29 12:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\MemeoCommon
2008-11-29 12:37 . 2008-11-29 12:41 <DIR> d-------- c:\documents and settings\yogendra\Application Data\MioNet
2008-11-29 12:32 . 2006-10-04 20:42 2,560 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-29 12:32 . 2006-10-04 20:42 2,432 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-11-29 12:31 . 2008-11-29 12:32 <DIR> d-------- c:\program files\Picasa2
2008-11-29 12:28 . 2008-11-29 12:28 <DIR> d-------- c:\program files\Western Digital
2008-11-29 12:27 . 2008-11-30 13:23 <DIR> d-------- c:\program files\MioNet
2008-11-29 12:27 . 2008-11-29 12:27 <DIR> d---s---- c:\documents and settings\All Users\Application Data\WD
2008-11-29 12:26 . 2008-11-29 12:26 <DIR> d-------- c:\program files\WD
2008-11-29 12:26 . 2008-11-29 12:26 <DIR> d-------- c:\program files\Common Files\eSellerate
2008-11-29 12:26 . 2008-11-29 12:26 <DIR> d-------- c:\documents and settings\yogendra\Application Data\WD
2008-11-29 12:25 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-29 12:25 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-25 12:06 . 2008-11-25 12:06 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-25 12:06 . 2008-11-25 12:06 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-21 14:00 . 2008-11-21 14:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-21 13:58 . 2008-11-21 17:23 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-21 13:58 . 2008-11-26 18:26 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-21 13:58 . 2008-11-21 13:58 <DIR> d-------- c:\documents and settings\yogendra\Application Data\SUPERAntiSpyware.com
2008-11-21 10:26 . 2008-11-21 14:56 499 --a------ c:\windows\wininit.ini
2008-11-21 09:59 . 2008-11-21 09:59 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!
2008-11-21 09:43 . 2008-11-21 15:13 <DIR> d--hs---- c:\windows\eW9nZW5kcmE
2008-11-21 09:43 . 2008-11-21 09:43 <DIR> d-------- c:\temp\FT62
2008-11-21 09:43 . 2008-11-21 09:45 47,598 --a------ c:\windows\system32\aumbicdcvgkst.exe
2008-11-21 09:42 . 2008-11-21 15:13 <DIR> d-------- c:\windows\system32\ID2
2008-11-21 09:42 . 2008-11-21 15:13 <DIR> d-------- c:\windows\system32\dim
2008-11-21 09:42 . 2008-11-21 09:42 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-21 09:42 . 2008-11-21 09:42 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-21 09:42 . 2008-11-21 09:42 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-16 19:10 . 2008-11-16 19:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-16 19:10 . 2008-11-29 18:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 13:51 . 2008-11-12 13:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-05 10:06 . 2008-11-05 10:06 <DIR> d-------- c:\program files\ArgoUML
2008-11-05 10:06 . 2008-11-05 10:06 <DIR> d-------- c:\documents and settings\yogendra\.argouml
2008-11-04 16:20 . 2008-11-04 16:21 <DIR> d-------- c:\documents and settings\yogendra\Application Data\ooVoo Details
2008-11-04 16:19 . 2008-11-04 16:20 <DIR> d-------- c:\program files\ooVoo
2008-11-01 14:45 . 2008-11-29 18:22 <DIR> d-------- c:\program files\LimeWire
2008-11-01 14:45 . 2008-11-30 02:09 <DIR> d-------- c:\documents and settings\yogendra\Application Data\LimeWire
2008-10-28 22:05 . 2008-10-28 22:06 <DIR> d-------- c:\documents and settings\yogendra\Application Data\Artemis
2008-10-28 21:51 . 2008-10-28 22:03 <DIR> d-------- c:\program files\Speedy P2P Movie Finder
2008-10-27 12:41 . 2008-10-31 14:04 <DIR> d-------- c:\windows\Downloaded Installations
2008-10-24 16:37 . 2008-11-12 00:11 <DIR> d-------- c:\documents and settings\yogendra\Shared
2008-10-24 16:37 . 2008-11-13 08:26 <DIR> d-------- c:\documents and settings\yogendra\Incomplete
2008-10-24 16:37 . 2008-10-26 16:01 <DIR> d-------- c:\documents and settings\yogendra\Application Data\MP3Rocket
2008-10-24 16:36 . 2008-10-24 16:37 <DIR> d-------- c:\program files\MP3 Rocket
2008-10-24 14:37 . 2008-11-12 13:51 <DIR> d-------- c:\program files\Yahoo!
2008-10-24 14:37 . 2008-10-24 14:37 <DIR> d-------- c:\documents and settings\yogendra\Application Data\Yahoo!
2008-10-24 14:37 . 2008-11-12 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-12 09:33 . 2005-06-15 02:00 102,400 --a------ c:\windows\system32\tsccvid.dll
2008-10-10 14:42 . 2008-10-10 14:42 <DIR> d-------- c:\documents and settings\yogendra\Application Data\skypePM
2008-10-10 14:42 . 2008-10-10 14:42 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-10-10 14:39 . 2008-10-10 14:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-10-10 14:26 . 2008-10-10 15:01 <DIR> d-------- c:\program files\iCall
2008-10-07 19:57 . 2008-10-07 19:58 <DIR> d-------- c:\documents and settings\yogendra\Application Data\VoipRaider
2008-10-05 13:02 . 2008-10-05 13:02 <DIR> d-------- c:\documents and settings\yogendra\Application Data\webex
2008-10-05 09:44 . 2008-10-24 18:51 <DIR> d-------- c:\documents and settings\yogendra\Application Data\Apple Computer
2008-10-05 09:44 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-10-05 09:44 . 2008-04-17 12:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-10-05 09:43 . 2008-10-05 09:44 <DIR> d-------- c:\program files\iTunes
2008-10-05 09:43 . 2008-10-05 09:43 <DIR> d-------- c:\program files\iPod
2008-10-05 09:43 . 2008-10-05 09:43 <DIR> d-------- c:\program files\Bonjour
2008-10-05 09:43 . 2008-10-05 09:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-05 09:42 . 2008-10-05 09:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-05 09:41 . 2008-10-05 09:41 <DIR> d-------- c:\program files\Apple Software Update
2008-10-05 09:40 . 2008-10-05 09:42 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-05 09:40 . 2008-10-05 09:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-10-02 19:44 . 2008-10-02 19:44 <DIR> d-------- C:\CPM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 18:32 --------- d-----w c:\program files\Google
2008-11-25 18:06 --------- d-----w c:\program files\Java
2008-11-04 22:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 20:37 --------- d-----w c:\program files\DivX
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-05 15:42 --------- d-----w c:\program files\QuickTime
2008-05-26 22:29 47,360 ----a-w c:\documents and settings\yogendra\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-11 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-03 185896]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-06-16 167936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-25 136600]
"MioNet"="c:\program files\MioNet\MioNetLauncher.exe" [2008-01-14 32768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-29 1838592]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 366400]

c:\documents and settings\yogendra\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2008-05-27 44384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Anywhere Backup Launcher.lnk - c:\windows\Installer\{649C4B1A-6A76-499A-9AEC-0C9530FA7D2C}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2008-11-29 9662]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\MioNet\\MioNetManager.exe"=
"c:\\Program Files\\MioNet\\jvm\\bin\\MioNet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R2 MioNet;MioNet;"c:\program files\MioNet\MioNetManager.exe" -s "c:\program files\MioNet\wrapper.conf" [2008-01-14 139264]
R2 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 199384]
S1 Sacm2AA;Sacm2AA;c:\windows\system32\drivers\Sacm2AA.sys []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15b66386-be43-11dd-ba0d-0015c5779cf4}]
\Shell\AutoRun\command - WDSetup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{2546bda7-fae6-4beb-ba23-e8ac54def486} - c:\windows\system32\!!!ulale.dll
HKLM-Run-mateyupona - c:\windows\system32\jupayobu.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\yogendra\Application Data\Mozilla\Firefox\Profiles\tscpjc4p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 13:47:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\MioNet\MioNetManager.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2008-11-30 14:01:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-30 20:01:39

Pre-Run: 69,029,789,696 bytes free
Post-Run: 68,892,622,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

262 --- E O F --- 2008-11-16 00:26:35

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:03 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\yogendra\Desktop\FIX\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MioNet] C:\Program Files\MioNet\MioNetLauncher.exe /p
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: WD Anywhere Backup Launcher.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?e=1227636414874&h=5c3679687bf06211b8919870fa480fa2/&filename=jinstall-6u10-windows-i586-jc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/T26L/webex/ieatgpc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: MioNet - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Unknown owner - C:\WINDOWS\system32\DRIVERS\xaudio.exe (file missing)

--
End of file - 12069 bytes

Kindly help me. my system as i said has become very slow. it could either be coz of lime wire or i went to run->msconfig and unchecked a few items i dint want to load during start-up. its actually the second change after which i have been getting these pop-ups. first i got them in IE, now i am getting in firefox as well

yogendra
New Member

Date Joined Nov 2008
Total Posts : 22

Posted 11-30-2008 9:31 (GMT +1)

Hi,

Also I have transferred my data to a new portable hard drive. is it possible that the infections are there in those files as well?
and i know this cant be related to this malware, but i dont see the icon(safely remove hardware) in my system tray to disconnect my drive. kindly advice

thank you
yogi

yogendra
New Member

Date Joined Nov 2008
Total Posts : 22

Posted 11-30-2008 9:33 (GMT +1)

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 12-1-2008 10:48 (GMT +1)

Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript
and Save it on the desktop

QUOTE:

Killall::

Snapshot::

File::
C:\windows\eW9nZW5kcmE
c:\windows\system32\aumbicdcvgkst.exe

c:\windows\system32\jupayobu.dll

Folder::

c:\windows\system32\ID2
c:\windows\system32\dim

C:\program files\LimeWire
c:\documents and settings\yogendra\Application Data\LimeWire

Domains::

http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

yogendra
New Member

Date Joined Nov 2008
Total Posts : 22

Posted 12-1-2008 6:13 (GMT +1)

ComboFix 08-11-30.02 - yogendra 2008-12-01 10:51:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1311 [GMT -6:00]
Running from: c:\documents and settings\yogendra\Desktop\FIX\ComboFix.exe
Command switches used :: c:\documents and settings\yogendra\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\eW9nZW5kcmE
c:\windows\system32\aumbicdcvgkst.exe
c:\windows\system32\jupayobu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\yogendra\Application Data\LimeWire
c:\documents and settings\yogendra\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\yogendra\Application Data\LimeWire\createtimes.cache
c:\documents and settings\yogendra\Application Data\LimeWire\downloads.dat
c:\documents and settings\yogendra\Application Data\LimeWire\fileurns.bak
c:\documents and settings\yogendra\Application Data\LimeWire\fileurns.cache
c:\documents and settings\yogendra\Application Data\LimeWire\filters.props
c:\documents and settings\yogendra\Application Data\LimeWire\gnutella.net
c:\documents and settings\yogendra\Application Data\LimeWire\installation.props
c:\documents and settings\yogendra\Application Data\LimeWire\library.dat
c:\documents and settings\yogendra\Application Data\LimeWire\limewire.props
c:\documents and settings\yogendra\Application Data\LimeWire\mojito.props
c:\documents and settings\yogendra\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\yogendra\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\yogendra\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\yogendra\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\yogendra\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\yogendra\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\yogendra\Application Data\LimeWire\questions.props
c:\documents and settings\yogendra\Application Data\LimeWire\responses.cache
c:\documents and settings\yogendra\Application Data\LimeWire\simpp.xml
c:\documents and settings\yogendra\Application Data\LimeWire\spam.dat
c:\documents and settings\yogendra\Application Data\LimeWire\tables.props
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\yogendra\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\yogendra\Application Data\LimeWire\ttrees.cache
c:\documents and settings\yogendra\Application Data\LimeWire\ttroot.cache
c:\documents and settings\yogendra\Application Data\LimeWire\version.xml
c:\documents and settings\yogendra\Application Data\LimeWire\versions.props
c:\documents and settings\yogendra\Application Data\LimeWire\xml\data\application.sxml2
c:\documents and settings\yogendra\Application Data\LimeWire\xml\data\video.sxml2
c:\program files\LimeWire
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-alpha5-20080522.192134-5.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire.exe
c:\windows\system32\aumbicdcvgkst.exe
c:\windows\system32\dim
c:\windows\system32\ID2

.
((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-11-29 18:41 . 2008-11-30 02:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-29 18:41 . 2008-11-29 18:41 <DIR> d-------- c:\documents and settings\yogendra\Application Data\Malwarebytes
2008-11-29 18:41 . 2008-11-29 18:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-29 18:41 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 18:41 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-29 18:23 . 2008-11-29 18:23 <DIR> d-------- c:\program files\CCleaner
2008-11-29 12:41 . 2008-11-29 12:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\MemeoCommon
2008-11-29 12:37 . 2008-11-29 12:41 <DIR> d-------- c:\documents and settings\yogendra\Application Data\MioNet
2008-11-29 12:32 . 2006-10-04 20:42 2,560 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-29 12:32 . 2006-10-04 20:42 2,432 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-11-29 12:31 . 2008-11-29 12:32 <DIR> d-------- c:\program files\Picasa2
2008-11-29 12:28 . 2008-11-29 12:28 <DIR> d-------- c:\program files\Western Digital
2008-11-29 12:27 . 2008-12-01 10:59 <DIR> d-------- c:\program files\MioNet
2008-11-29 12:27 . 2008-11-29 12:27 <DIR> d---s---- c:\documents and settings\All Users\Application Data\WD
2008-11-29 12:26 . 2008-11-29 12:26 <DIR> d-------- c:\program files\WD
2008-11-29 12:26 . 2008-11-29 12:26 <DIR> d-------- c:\program files\Common Files\eSellerate
2008-11-29 12:26 . 2008-11-29 12:26 <DIR> d-------- c:\documents and settings\yogendra\Application Data\WD
2008-11-29 12:25 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-29 12:25 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-25 12:06 . 2008-11-25 12:06 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-25 12:06 . 2008-11-25 12:06 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-21 14:00 . 2008-11-21 14:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-21 13:58 . 2008-11-21 17:23 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-21 13:58 . 2008-11-26 18:26 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-21 13:58 . 2008-11-21 13:58 <DIR> d-------- c:\documents and settings\yogendra\Application Data\SUPERAntiSpyware.com
2008-11-21 10:26 . 2008-11-21 14:56 499 --a------ c:\windows\wininit.ini
2008-11-21 09:59 . 2008-11-21 09:59 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!
2008-11-21 09:43 . 2008-11-21 15:13 <DIR> d--hs---- c:\windows\eW9nZW5kcmE
2008-11-21 09:43 . 2008-11-21 09:43 <DIR> d-------- c:\temp\FT62
2008-11-21 09:42 . 2008-11-21 09:42 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-21 09:42 . 2008-11-21 09:42 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-21 09:42 . 2008-11-21 09:42 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-16 19:10 . 2008-11-16 19:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-16 19:10 . 2008-11-29 18:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 13:51 . 2008-11-12 13:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-05 10:06 . 2008-11-05 10:06 <DIR> d-------- c:\program files\ArgoUML
2008-11-05 10:06 . 2008-11-05 10:06 <DIR> d-------- c:\documents and settings\yogendra\.argouml
2008-11-04 16:20 . 2008-11-04 16:21 <DIR> d-------- c:\documents and settings\yogendra\Application Data\ooVoo Details
2008-11-04 16:19 . 2008-11-04 16:20 <DIR> d-------- c:\program files\ooVoo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 18:32 --------- d-----w c:\program files\Google
2008-11-25 18:06 --------- d-----w c:\program files\Java
2008-11-12 19:52 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-12 19:51 --------- d-----w c:\program files\Yahoo!
2008-11-04 22:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 04:06 --------- d-----w c:\documents and settings\yogendra\Application Data\Artemis
2008-10-29 04:03 --------- d-----w c:\program files\Speedy P2P Movie Finder
2008-10-26 22:01 --------- d-----w c:\documents and settings\yogendra\Application Data\MP3Rocket
2008-10-25 00:51 --------- d-----w c:\documents and settings\yogendra\Application Data\Apple Computer
2008-10-24 22:37 --------- d-----w c:\program files\MP3 Rocket
2008-10-24 20:37 --------- d-----w c:\program files\DivX
2008-10-24 20:37 --------- d-----w c:\documents and settings\yogendra\Application Data\Yahoo!
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-10 21:01 --------- d-----w c:\program files\iCall
2008-10-10 20:42 --------- d-----w c:\documents and settings\yogendra\Application Data\skypePM
2008-10-10 20:40 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-08 01:58 --------- d-----w c:\documents and settings\yogendra\Application Data\VoipRaider
2008-10-05 19:02 --------- d-----w c:\documents and settings\yogendra\Application Data\webex
2008-10-05 15:44 --------- d-----w c:\program files\iTunes
2008-10-05 15:44 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-05 15:43 --------- d-----w c:\program files\iPod
2008-10-05 15:43 --------- d-----w c:\program files\Bonjour
2008-10-05 15:42 --------- d-----w c:\program files\QuickTime
2008-10-05 15:42 --------- d-----w c:\program files\Common Files\Apple
2008-10-05 15:42 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-05 15:41 --------- d-----w c:\program files\Apple Software Update
2008-10-05 15:40 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-05-26 22:29 47,360 ----a-w c:\documents and settings\yogendra\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-11 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-03 185896]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-06-16 167936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-25 136600]
"MioNet"="c:\program files\MioNet\MioNetLauncher.exe" [2008-01-14 32768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-30 29744]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 366400]

c:\documents and settings\yogendra\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2008-05-27 44384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Anywhere Backup Launcher.lnk - c:\windows\Installer\{649C4B1A-6A76-499A-9AEC-0C9530FA7D2C}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2008-11-29 9662]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\MioNet\\MioNetManager.exe"=
"c:\\Program Files\\MioNet\\jvm\\bin\\MioNet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R2 MioNet;MioNet;"c:\program files\MioNet\MioNetManager.exe" -s "c:\program files\MioNet\wrapper.conf" [2008-01-14 139264]
R2 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 199384]
S1 Sacm2AA;Sacm2AA;c:\windows\system32\drivers\Sacm2AA.sys []
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-29 29744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15b66386-be43-11dd-ba0d-0015c5779cf4}]
\Shell\AutoRun\command - WDSetup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 10:59:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\MioNet\MioNetManager.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-12-01 11:10:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-01 17:10:46
ComboFix2.txt 2008-11-30 20:01:49

Pre-Run: 68,794,830,848 bytes free
Post-Run: 69,007,515,648 bytes free

315 --- E O F --- 2008-11-16 00:26:35

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 12-2-2008 6:42 (GMT +1)

Delete this folder:

c:\windows\eW9nZW5kcmE

Reboot, post new hijackthis log and tell how things are running ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

yogendra
New Member

Date Joined Nov 2008
Total Posts : 22

Posted 12-2-2008 6:11 (GMT +1)

I have deleted that folder. I dont see any significant change in performance though.
Also I am not able to run HijackThis. I am getting the following error : "this application has failed to start because MSVBM60.DLL was not found. Re-installing the application may fix the problem". I tried re-installing but i get the same error.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 12-4-2008 8:52 (GMT +1)

Ok.

Download and install the Visual Basic 6 SP5 run-time from here:
http://download.microsoft.com/download/vb60pro/Redist/sp5/WIN98Me/EN-US/vbrun60sp5.exe

That should fix your problem with hijackthis

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

yogendra
New Member

Date Joined Nov 2008
Total Posts : 22

Posted 12-4-2008 6:21 (GMT +1)

Hi,

I have attached the logs. My system is definitely faster than earlier, but it still takes a long time to load the objects in system tray.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:41 AM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\yogendra\Desktop\FIX\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.