Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Reply
 
Topic Tools
  #31  
Old December 31st, 2007, 04:54 PM
Jintan's Avatar
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 51,626
What are the F and G drivers used for there Mahesha? The infection is on all drives. Maybe no longer active, but files from it we need to delete.
Reply With Quote


  #32  
Old December 31st, 2007, 07:29 PM
mahesha_babu mahesha_babu is offline
Member
 
Join Date: Dec 2007
Posts: 31
I searched on all the drives for the file, but search results showed none.
Reply With Quote
  #33  
Old December 31st, 2007, 09:09 PM
Jintan's Avatar
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 51,626
Not just that one, there are other bad files. But what are these other drives - what is the G and F drive there? Is either a flash drive, or external drive? We have the means of repairs, if I can undertsand what you have there.
Reply With Quote
  #34  
Old January 4th, 2008, 04:50 PM
mahesha_babu mahesha_babu is offline
Member
 
Join Date: Dec 2007
Posts: 31
Hi,

Sorry for the late reply, F & G are partitions on the same drive.
Reply With Quote
  #35  
Old January 4th, 2008, 10:13 PM
Jintan's Avatar
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 51,626
I can't recall if ComboFix deletes other drive files, but we'll see.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:
File::
C:\xfoolavp.com
F:\dosocom.com
F:\usdeiect.com
F:\xfoolavp.com
G:\dosocom.com
G:\usdeiect.com
G:\xfoolavp.com
C:\autorun.inf
F:\autorun.inf
G:\autorun.inf
G:\MMB\documents\babu\Desktop\New Folder\3DHAHomeDesignSE6-dm.exe
G:\MMB\Softees\GDiVXZen1.2.exe
G:\MMB\Softees\vnc-4_1_2-x86_win32.exe
Save this as "CFScript"

(include the "quotation marks" with the name)




Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

--------------------------

Then Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.

The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.

--------------------------

Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

Post back that log along with the ComboFix.txt log please.
Reply With Quote
  #36  
Old January 5th, 2008, 11:36 AM
mahesha_babu mahesha_babu is offline
Member
 
Join Date: Dec 2007
Posts: 31
ComboFix 08-01-05.1 - babu 2008-01-05 11:38:15.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.354 [GMT 5.5:30]
Running from: C:\Documents and Settings\babu\Desktop\New Folder (2)\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
F:\Autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 11:29 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 16:36 . 2008-01-01 16:36 <DIR> d-------- C:\Program Files\BadBlue
2007-12-31 15:15 . 2000-10-19 14:05 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-31 15:08 . 2007-12-31 15:56 <DIR> d-------- C:\Program Files\Business-in-a-Box
2007-12-30 12:09 . 2007-12-30 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2007-12-29 20:59 . 2007-12-29 21:01 <DIR> d-------- C:\Program Files\Maxtor
2007-12-29 10:24 . 2008-01-05 10:58 54,272 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2007-12-28 22:16 . 2007-12-28 22:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-28 22:16 . 2007-12-28 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 10:48 . 2007-12-28 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-28 10:48 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-28 10:48 . 2007-12-28 11:03 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-28 10:47 . 2007-12-28 11:07 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-12-25 21:05 . 2007-12-25 21:05 <DIR> d-------- C:\Documents and Settings\babu\Application Data\Grisoft
2007-12-25 21:05 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-25 12:13 . 2007-12-25 12:13 256 --a------ C:\WINDOWS\_delis32.ini
2007-12-25 12:12 . 2007-12-25 13:49 <DIR> d-------- C:\Program Files\Symantec
2007-12-25 12:12 . 2007-12-25 13:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-25 12:12 . 2007-12-25 12:12 <DIR> d-------- C:\Documents and Settings\babu\Application Data\Symantec
2007-12-24 12:59 . 2007-12-24 12:59 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-24 12:54 . 2008-01-05 10:58 <DIR> d-------- C:\Documents and Settings\babu\Application Data\AVG7
2007-12-24 12:53 . 2007-12-24 12:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-24 12:53 . 2007-12-25 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-24 12:53 . 2007-12-24 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-24 12:45 . 2007-12-24 12:45 <DIR> d-------- C:\TEMP\Clt-Inst
2007-12-24 12:45 . 2007-12-24 12:45 <DIR> d-------- C:\TEMP
2007-12-23 17:50 . 2007-12-23 17:50 0 --a------ C:\WINDOWS\VPC32.INI
2007-12-23 17:34 . 2007-11-26 23:50 1,040 --a------ C:\win.ini
2007-12-21 14:23 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-12-21 14:23 . 2003-02-28 18:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-12-21 14:23 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-12-21 14:23 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-12-21 13:02 . 2007-12-21 13:02 50 --a------ C:\WINDOWS\MegaManager.INI
2007-12-21 10:24 . 2007-12-29 10:25 54,272 -r-hs---- C:\WINDOWS\system32\amvo1.dll
2007-12-20 00:13 . 2003-03-17 17:26 94,720 --a------ C:\WINDOWS\system\Crystl32.ocx
2007-12-19 23:56 . 2007-12-19 23:56 265,728 --a------ C:\WINDOWS\system32\MSCOMCTL.oca
2007-12-19 23:56 . 2007-12-19 23:56 135,168 --a------ C:\WINDOWS\system32\mscomct2.oca
2007-12-19 23:56 . 2007-12-19 23:56 65,536 --a------ C:\WINDOWS\system32\MSDATGRD.oca
2007-12-19 23:56 . 2007-12-19 23:56 35,840 --a------ C:\WINDOWS\system32\MSADODC.oca
2007-12-19 21:12 . 2007-12-19 21:15 <DIR> d-------- C:\Program Files\Web Publish
2007-12-19 20:51 . 2003-03-17 17:26 94,720 --a------ C:\WINDOWS\system32\crystl32.ocx
2007-12-19 20:40 . 2007-12-29 10:25 105,537 -r-hs---- C:\WINDOWS\system32\amvo.exe
2007-12-19 16:11 . 2007-12-21 11:57 <DIR> d-------- C:\WINDOWS\Crystal
2007-12-18 23:14 . 2007-12-18 23:16 <DIR> d-------- C:\Program Files\Picasa2
2007-12-18 15:59 . 2007-12-18 17:02 221,852 --a------ C:\bar.emf
2007-12-14 21:13 . 2007-12-14 21:13 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-12-14 21:13 . 2007-12-14 21:13 <DIR> d-------- C:\Program Files\Autodesk
2007-12-14 21:13 . 2007-12-14 21:13 54,784 --a------ C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2007-12-14 21:13 . 2007-12-14 21:13 12,464 --a------ C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2007-12-14 21:12 . 2007-12-14 21:12 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2007-12-14 21:11 . 2007-12-14 21:12 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-12-14 21:11 . 2007-12-14 21:15 <DIR> d-------- C:\Documents and Settings\babu\Application Data\Autodesk
2007-12-14 21:11 . 2007-12-14 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2007-12-14 11:57 . 2007-12-14 11:57 <DIR> d-------- C:\Program Files\rediff.com
2007-12-06 23:15 . 2007-12-06 23:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-06 23:14 . 2007-12-06 23:15 <DIR> d-------- C:\Program Files\Real
2007-12-06 23:14 . 2007-12-06 23:15 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-06 22:15 . 2007-12-21 11:58 <DIR> d-------- C:\Documents and Settings\babu\Application Data\DMCache
2007-12-06 21:50 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-12-06 21:50 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-12-05 22:00 . 2008-01-05 11:06 <DIR> d-------- C:\Documents and Settings\babu\Application Data\skypePM
2007-12-05 22:00 . 2007-12-05 22:00 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-05 21:59 . 2007-12-05 21:59 <DIR> d-------- C:\Program Files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-05 06:13 --------- d-----w C:\Documents and Settings\babu\Application Data\Skype
2008-01-05 05:28 --------- d-----w C:\Program Files\FlashGet
2008-01-04 08:54 --------- d-----w C:\Documents and Settings\babu\Application Data\webex
2008-01-02 06:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-29 15:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 09:56 --------- d-----w C:\Program Files\Google
2007-12-25 08:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-24 16:01 --------- d-----w C:\Program Files\WebEx
2007-12-21 08:53 155,995 ----a-w C:\WINDOWS\java\Packages\ABVBPV9Z.ZIP
2007-12-11 09:58 1,248 --sha-w C:\xj2mvefv.sys
2007-12-03 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-03 18:52 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-12-03 18:37 --------- d-----w C:\Program Files\Avanquest update
2007-12-03 18:28 92,064 ----a-w C:\Documents and Settings\babu\mqdmmdm.sys
2007-12-03 18:28 9,232 ----a-w C:\Documents and Settings\babu\mqdmmdfl.sys
2007-12-03 18:28 79,328 ----a-w C:\Documents and Settings\babu\mqdmserd.sys
2007-12-03 18:28 66,656 ----a-w C:\Documents and Settings\babu\mqdmbus.sys
2007-12-03 18:28 6,208 ----a-w C:\Documents and Settings\babu\mqdmcmnt.sys
2007-12-03 18:28 5,936 ----a-w C:\Documents and Settings\babu\mqdmwhnt.sys
2007-12-03 18:28 4,048 ----a-w C:\Documents and Settings\babu\mqdmcr.sys
2007-12-03 18:28 25,600 ----a-w C:\Documents and Settings\babu\usbsermptxp.sys
2007-12-03 18:28 22,768 ----a-w C:\Documents and Settings\babu\usbsermpt.sys
2007-11-26 18:20 --------- d-----w C:\Program Files\Super Yahoo Messenger Archive Decoder
2007-11-25 16:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-25 15:02 --------- d-----w C:\Program Files\MagicISO
2007-11-25 14:43 --------- d-----w C:\Program Files\MyPhoneExplorer
2007-11-23 17:32 --------- d-----w C:\Program Files\Money Manager Ex
2007-11-23 17:10 --------- d-----w C:\Program Files\FMS
2007-11-23 17:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2007-11-23 17:08 --------- d-----w C:\Documents and Settings\babu\Application Data\Roxio
2007-11-22 16:42 --------- d-----w C:\Program Files\Xing
2007-11-21 10:17 --------- d-----w C:\Program Files\GDivX Zenith Player
2007-11-17 04:22 --------- d-----w C:\Documents and Settings\babu\Application Data\AdobeUM
2007-11-15 16:43 --------- d-----w C:\Program Files\Boson Software
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 11:52 186 ----a-w C:\test2.bat
2007-11-12 11:33 --------- d-----w C:\Program Files\FileZilla
2007-11-12 11:22 140 ----a-w C:\test1.bat
2007-11-12 10:53 71 ----a-w C:\copy.bat
2007-11-12 10:53 501 ----a-w C:\test.bat
2007-11-12 06:49 60,480 ----a-w C:\USP10325_20071107_150.zip
2007-11-10 07:23 --------- d-----w C:\Documents and Settings\babu\Application Data\Megaupload
2007-11-09 18:12 --------- d-----w C:\Documents and Settings\babu\Application Data\Apple Computer
2007-11-08 17:15 --------- d-----w C:\Program Files\Network Management Suite
2007-11-08 16:21 --------- d-----w C:\Program Files\PHP
2007-11-08 15:59 --------- d-----w C:\Program Files\AIDA32 - Network System Information
2007-11-06 04:56 202,826 ----a-w C:\WINDOWS\system32\atasnt40.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 12:10 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-10-01 09:58 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"amva"="C:\WINDOWS\system32\amvo.exe" [2007-12-29 10:25 105537]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"BIBLauncher"="C:\Program files\Business-in-a-BoxBIBLauncher.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 14:36 827392]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 09:47 159744]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 17:36 872448]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 11:00 192512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-18 21:50 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-18 21:50 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.ex e" [2007-05-18 21:50 138008]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"CassandraStartup"="C:\LaggAt\tools\Cassandra\Cass andra\bin\Cassandra.exe" [ ]
"Flashget"="C:\Program Files\FlashGet\FlashGet.exe" [2007-06-29 17:14 1990704]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-06 23:14 185632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-24 12:53 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 08:45 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 11:15 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce]
"washindex"="C:\Program Files\Washer\washidx.exe" [2002-03-11 17:10 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-24 12:53 219136]

C:\Documents and Settings\babu\Start Menu\Programs\Startup\
BadBlue.lnk - C:\Program Files\BadBlue\PE\badblue.exe [2006-02-12 19:53:32]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-09-29 10:31:52]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-09-28 19:44:43]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 15:14:00]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2007-09-28 18:54:21]
NetScreen-Remote.lnk - C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe [2007-10-02 19:12:03]
VPN Client.lnk - C:\WINDOWS\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2007-09-28 20:35:53]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CassandraStartup]
C:\LaggAt\tools\Cassandra\Cassandra\bin\Cassandra. exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

R1 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\system32\Drivers\IPSECDRV.sys [2005-02-24 15:32]
R2 Crypto;Crypto;C:\WINDOWS\system32\drivers\Crypto.s ys [2004-11-10 12:36]
R2 JTrac-Jetty;JTrac-Jetty;G:\jtrac-2.1.0-beta\jtrac\wrapper.exe [2006-10-17 23:22]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2006-02-28 17:30]
R3 DniVap;SafeNet WAN Miniport (VA);C:\WINDOWS\system32\DRIVERS\vap.sys [2001-12-14 15:26]
S3 HP24X;HP PC Card Smart Card Reader;C:\WINDOWS\system32\DRIVERS\HP24X.sys []
S3 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 03:45]
S3 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2005-09-23 07:01]
S3 Polar Help Desk Scheduler;Polar Help Desk Scheduler;c:\program files\polar\polar help desk\services\polar.helpdesk.scheduler.exe [2007-05-01 02:37]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService .exe" [2005-10-14 03:44]
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{221c35c9-b60e-11dc-a116-001a734a35bd}]
\Shell\AutoRun\command - E:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{46d8d1c5-966e-11dc-8304-00059a3c7800}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 09:15:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-05 05:28:06 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 11:43:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m sftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
Completion time: 2008-01-05 11:45:11
ComboFix-quarantined-files.txt 2008-01-05 06:14:37
ComboFix2.txt 2007-12-29 04:13:25
ComboFix3.txt 2007-12-27 18:20:54
.
2007-12-21 08:53:50 --- E O F ---
Reply With Quote
  #37  
Old January 5th, 2008, 11:37 AM
mahesha_babu mahesha_babu is offline
Member
 
Join Date: Dec 2007
Posts: 31
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-01-05 14:42
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/01/2008
Kaspersky Anti-Virus database records: 502797
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 107422
Number of viruses found: 4
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 02:38:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Ga therLogs\SystemIndex\SystemIndex.88.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Ga therLogs\SystemIndex\SystemIndex.88.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MS S.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MS Stmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010007.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010007.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\0001001A.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010020.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\00010026.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\CiMG001a.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Pr ojects\SystemIndex\SystemIndex.Ntfy153.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tm p.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Wi ndows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_ Perfdata_534.dat Object is locked skipped
C:\Documents and Settings\babu\Application Data\AVG7\l_000113.log Object is locked skipped
C:\Documents and Settings\babu\Application Data\Microsoft\Outlook\Mahesha_HDS.srs Object is locked skipped
C:\Documents and Settings\babu\Application Data\Microsoft\Templates\NormalEmail.dotm Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\call256.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\callmember256.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\chat1024.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\chat4096.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\chat512.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\index2.dat Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\profile16384.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\transfer256.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\transfer512.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\user1024.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\user16384.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\user256.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\user4096.dbb Object is locked skipped
C:\Documents and Settings\babu\Application Data\Skype\mahesha.babu\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\babu\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Application Data\Microsoft\Desktop Search\Logs\OTFSMonLog.txt Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Application Data\Microsoft\Outlook\outlook.ost Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Application Data\Microsoft\Outlook\~archive.pst.tmp Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Application Data\Microsoft\Outlook\~outlook.ost.tmp Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\babu\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\babu\Local Settings\History\History.IE5\MSHist012008010520080 106\index.dat Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Temp\ExchangePerflog_8484fa31fa1fc8dfadfd 4421.dat Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Temp\Perflib_Perfdata_ca0.dat Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Temp\Perflib_Perfdata_dc8.dat Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\babu\Local Settings\Temporary Internet Files\Content.Word\~WRS{9BF99073-04A7-4B44-B87A-9A8ADEF8CA83}.tmp Object is locked skipped
C:\Documents and Settings\babu\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\babu\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_babu.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_babu.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_babu.log Object is locked skipped
C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.biw skipped
C:\QooBox\Quarantine\F\autorun.inf.vir Infected: Worm.Win32.AutoRun.biw skipped
C:\QooBox\Quarantine\G\autorun.inf.vir Infected: Worm.Win32.AutoRun.biw skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F3B6DF1E-B85C-432F-805D-EE15D416DE23}\RP6\A0003367.inf Infected: Worm.Win32.AutoRun.biw skipped
C:\System Volume Information\_restore{F3B6DF1E-B85C-432F-805D-EE15D416DE23}\RP6\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\Polar.He.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1232 Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\_restore{F3B6DF1E-B85C-432F-805D-EE15D416DE23}\RP6\A0003368.inf Infected: Worm.Win32.AutoRun.biw skipped
F:\System Volume Information\_restore{F3B6DF1E-B85C-432F-805D-EE15D416DE23}\RP6\change.log Object is locked skipped
G:\jtrac-2.1.0-beta\jtrac\data\db\jtrac.lck Object is locked skipped
G:\jtrac-2.1.0-beta\jtrac\data\db\jtrac.log Object is locked skipped
G:\jtrac-2.1.0-beta\jtrac\logs\2008_01_05.request.log Object is locked skipped
G:\jtrac-2.1.0-beta\jtrac\logs\jtrac.log Object is locked skipped
G:\MMB\documents\babu\Desktop\New Folder\3DHAHomeDesignSE6-dm.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
G:\MMB\MMB\mails\Outlook_HDS\backup_040907.pst Object is locked skipped
G:\MMB\MMB\mails\Outlook_HDS\~backup_040907.pst.tm p Object is locked skipped
G:\MMB\Softees\GDiVXZen1.2.exe/data0005 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
Reply With Quote
  #38  
Old January 5th, 2008, 11:37 AM
mahesha_babu mahesha_babu is offline
Member
 
Join Date: Dec 2007
Posts: 31
G:\MMB\Softees\GDiVXZen1.2.exe NSIS: infected - 1 skipped
G:\MMB\Softees\vnc-4_1_2-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
G:\MMB\Softees\vnc-4_1_2-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
G:\MMB\Softees\vnc-4_1_2-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
G:\MMB\Softees\vnc-4_1_2-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
G:\MMB\Softees\vnc-4_1_2-x86_win32.exe Inno: infected - 4 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{F3B6DF1E-B85C-432F-805D-EE15D416DE23}\RP6\A0003369.inf Infected: Worm.Win32.AutoRun.biw skipped
G:\System Volume Information\_restore{F3B6DF1E-B85C-432F-805D-EE15D416DE23}\RP6\change.log Object is locked skipped

Scan process completed.


I have copied new log files....
Reply With Quote
  #39  
Old January 5th, 2008, 04:01 PM
Jintan's Avatar
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 51,626
I think your system has a newer variant rootkit that has an autoloading component. I am not familiar with this software which was just used - are you doing online web work right now (hope not, as activity interferes with repairs)?

2008-01-01 16:36 . 2008-01-01 16:36 <DIR> d-------- C:\Program Files\BadBlue




Code:
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46d8d1c5-966e-11dc-8304-00059a3c7800}]
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.


Download System Repair Engineer. Use either of the Local Download buttons to download sreng2.zip

1. Extract it to it's own folder on your Desktop, then double click SREng.exe to run it.
2. Select 'Smart Scan' & tick "Verify Digital Signatures"
3. Click on the [Scan] button
4. When finished, click on the [Save Reports] button & save the log to Desktop.

Please post that log back here for review - it will be large, so use extra posts as needed.
Reply With Quote
  #40  
Old January 6th, 2008, 04:00 AM
Jintan's Avatar
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 51,626
I have had a chance to assess some of the infection showing here a little more Mahesha, and would like you to do these steps instead now. We can return to the SREng2 scan later if needed.


Delete the C:\Windows\Prefetch folder (the entire folder), and reboot.

On reboot if you get and error just take note of it, then OK it. Post back any error messages in your next reply.

Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder

When you have done this, doubleclick on Gmer.exe to run it. When Gmer starts it will do a quick scan. If it does not, click the "Rootkit" tab, then click the Scan button to do a scan.

If any instances of the following show in that list, right click on each and select "Restore SSDT". Repeat this until all those entries are removed (but don't make any other changes there). Then click OK to close Gmer.

\??\C:\WINDOWS\system32\wincab.sys

-------------------

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

-------------------

Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them.

C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amv01.dll

--------------------------

Then click the Flash_Disinfector.exe again, and complete that cleaning as you have done before.

-------------------------

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:
File::
C:\xj2mvefv.sys
C:\test2.bat
C:\test1.bat
C:\copy.bat
C:\test.bat
C:\WINDOWS\VPC32.INI
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amv01.dll
Folder::
C:\TEMP
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46d8d1c5-966e-11dc-8304-00059a3c7800}]
Save this as "CFScript"

(include the "quotation marks" with the name)




Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------------


Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

Post back that log along with the ComboFix.txt and a new HijackThis log please.

-------------------------

Also I would like to check one files there to be sure. Just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.

C:\WINDOWS\java\Packages\ABVBPV9Z.ZIP

You DO NOT need to be a member to upload, anybody can upload the files.
Reply With Quote
  #41  
Old May 19th, 2017, 07:19 AM
3dtech 3dtech is offline
New Member
 
Join Date: May 2017
Location: MONA TILES COMPOUND, NR. CHHANI CIRCLE, CHHANI ROAD, VADODARA - 390002. GUJARAT, INDIA.
Posts: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" ["Google Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"amva" = "C:\WINDOWS\system32\amvo.exe" [null data]
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"QlbCtrl" = "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start"
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"SoundMAX" = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray" ["Analog Devices, Inc."]
"Acrobat Assistant 7.0" = ""C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"WatchDog" = "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" ["InterVideo Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"HP Software Update" = "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"CassandraStartup" = "C:\LaggAt\tools\Cassandra\Cassandra\bin\Cassa ndra .exe" [file not found]
"Flashget" = "C:\Program Files\FlashGet\FlashGet.exe /min" ["FlashGet.com"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once\ {++}
"washindex" = "C:\Program Files\Washer\washidx.exe "Babu"" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"
-> {HKLM...CLSID} = "Skype add-on (mastermind)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "FGCatchUrl"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\jccatch.dll" ["www.flashget.com"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll" ["Google Inc."]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashGet GetFlash Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]
"{7842554E-6BED-11D2-8CDB-B05550C10000}" = "Monitor"
-> {HKLM...CLSID} = "Monitor Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btncopy.dll" ["Broadcom Corporation."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshe xt.d ll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshe xt.d ll" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Search Deskbar"
-> {HKCU...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
-> {HKLM...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = ""C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld" [MS]
"Auto" = "1"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXML MF.D LL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandler s\
Reply With Quote
  #42  
Old May 20th, 2017, 12:36 AM
Jintan's Avatar
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 51,626
3dtech, please start your own thread following the steps here. Thanks.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 11:08 PM.