 [Closed] Virtumonde trouble and port-scanning annoyance, Trojan.virtumonde infection and lots of random IPs are scanning ports |
Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)
  |
 Jul 2 2008, 09:54 PM
Post
#1
|
|
|
New Member  Group: Authentic Member Posts: 6 Joined: 28-June 08 Member No.: 79,905 Operating System: WINDOWS XP SP 2  |
Many thanks for the support provided. I have described the problem below to the best of my ability. Please let me know if you need any additional info. --Singseeker Here are the details of the problem: ENVIRONMENT: I have Windows XP SP2, running McAfee (provided by Comcast) and Spyware Doctor OnGuard. I have uninstalled Norton antivirus that came preinstalled with the machine. I have Anti-Malware, Ad-Aware, Spybot S&D in addition to the above. Since this problem came about, I exclusively use Firefox (not updated to the latest version) and that really seems to help, but I am not sure. PROBLEM SUMMARY: Virtumonde infection detected by Spyware Doctor, Web-requests (not https requests) seem to go to a lot of places before actually going to the correct site (e.g. google-analytics) Several open ports being targeted by untraceable IPs (e.g. port numbers 9100, 2191, NetBIOS session targeted by 192.168.1.102!) At one point, web-surfing became very slow, but that seemed to have been resolved by running FixVundo.exe and FixVMonde.exe Virtumonde infection severity was earlier 'high risk' in Spyware Doctor, but after running FixVundo and FixVMonde, it has been downgraded to 'Medium'. I followed all instructions while running the above two programs to clear Virtumonde, but was unsuccessful I have disabled a lot of processes to close ports and that has helped with the port-scanning problem. I have also banned several IPs originating from Russia, Mexico, China etc. that showed up in McAfee logs. However, I don't know how to block the 192.168 series IPs and the remaining open ports. HIJACKTHIS LOG: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:36:06 PM, on 7/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MIT\Kerberos\bin\leash32.exe C:\Program Files\MIT\Kerberos\bin\krbcc32s.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MPS\mpsevh.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\PROGRA~1\McAfee\MSC\mcshell.exe C:\Program Files\Spyware Doctor\pctsGui.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 O4 - Global Startup: Leash Ticket Manager.lnk = C:\Program Files\MIT\Kerberos\bin\leash32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) - O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe -- End of file - 8439 bytes |
 |
 
|
|
Jul 3 2008, 05:19 PM
Post
#2
|
|
 Always Happy  Group: Malware Team Posts: 3,653 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04 |
Hi
You neednt try to block the 192.168 series of IP addresses. They relate to your computer/network and router. I dont see any signs of Vundo in the HijackThis log, so lets take a wider look Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
|
|
|
|
|
Jul 4 2008, 05:32 AM
Post
#3
|
|
|
New Member Group: Authentic Member Posts: 6 Joined: 28-June 08 Member No.: 79,905 Operating System: WINDOWS XP SP 2 |
Hello.
Many thanks for the quick response. >> Yes, I understand that 198.162 series is my own network. What is surprising is the port scanning done from 'apparently' these local IPs! I, for sure, am not and I don't have any other machines on this network either. Someone seems to be faking their IP and doing the port-scan, and I am not able to block them out by the IP-banning method. Sorry, maybe I wasn't communicating clearly the first time around. Also, if this question does not belong on this forum, or if it is not related to this problem, please let me know and I'll edit the post with apologies. >> FixVundo.exe and VixVMonde.exe both report 'no infection' just like you say. However, Spyware Doctor does show '10 infections' of 'Medium' severity. >> Please find the logs posted below from DSS MAIN: --------- Deckard's System Scanner v20071014.68 Run by Ramesh on 2008-07-03 23:31:16 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 19: 2008-07-04 03:31:30 UTC - RP565 - Deckard's System Scanner Restore Point 18: 2008-06-28 14:03:13 UTC - RP564 - Software Distribution Service 3.0 17: 2008-06-28 02:27:41 UTC - RP563 - System Checkpoint 16: 2008-06-21 17:19:41 UTC - RP562 - System Checkpoint 15: 2008-06-14 18:28:46 UTC - RP561 - Software Distribution Service 3.0 -- First Restore Point -- 1: 2008-04-08 15:27:09 UTC - RP547 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Ramesh.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:35:33 PM, on 7/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MIT\Kerberos\bin\leash32.exe C:\Program Files\MIT\Kerberos\bin\krbcc32s.exe C:\Program Files\Mozilla Firefox\firefox.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\Documents and Settings\Ramesh\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Ramesh.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 O4 - Global Startup: Leash Ticket Manager.lnk = C:\Program Files\MIT\Kerberos\bin\leash32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) - O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe -- End of file - 8361 bytes -- File Associations ----------------------------------------------------------- .reg - regfile - shell\open\command - regedit.exe "%1" %* .scr - scrfile - shell\open\command - "%1" %* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)> S2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; Samsung Electronics Co., Ltd.; Samsung Electronics Co., Ltd. VECP for Windows 2000, XP> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S2 LiveUpdate Notice Ex (LiveUpdate Notice Service Ex) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing) S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module> S3 SM_sugo3_FUService (sugo3 Status Monitor Service) - "c:\program files\samsung\samsung ml-2510 series\spanel\ssmsrvc /service (file missing) S4 OracleCSService - c:\oracle\product\10.1.0\orahome10\bin\ocssd.exe service S4 OracleDBConsoleDB1 - c:\oracle\product\10.1.0\orahome10\bin\nmesrvc.exe <Not Verified; Oracle Corporation; > S4 OracleJobSchedulerDB1 - c:\oracle\product\10.1.0\orahome10\bin\extjob.exe db1 S4 OracleOraComp10ProcessManager - c:\oracle\product\10.1.0\oracomp10\opmn\bin\opmn.exe -s S4 OracleOraHome10iSQL*Plus - c:\oracle\product\10.1.0\orahome10\bin\isqlplussvc.exe <Not Verified; Oracle; IPlusSvce> S4 OracleOraHome10SNMPPeerEncapsulator - c:\oracle\product\10.1.0\orahome10\bin\encsvc.exe S4 OracleOraHome10SNMPPeerMasterAgent - c:\oracle\product\10.1.0\orahome10\bin\agntsvc.exe S4 OracleOraHome10TNSListener - c:\oracle\product\10.1.0\orahome10\bin\tnslsnr (file missing) S4 OracleOraToolsClientCache - c:\oratools\bin\onrsd.exe S4 OracleOraWBClientCache - c:\orawb\bin\onrsd.exe S4 OracleServiceDB1 - c:\oracle\product\10.1.0\orahome10\bin\oracle.exe db1 <Not Verified; Oracle Corporation; > -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0001 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0001 Service: CVirtA -- Scheduled Tasks ------------------------------------------------------------- 2008-05-01 01:00:20 330 --a------ C:\WINDOWS\Tasks\McQcTask.job 2008-03-08 06:37:32 338 --a------ C:\WINDOWS\Tasks\McDefragTask.job -- Files created between 2008-06-03 and 2008-07-03 ----------------------------- Nothing created in this timespan. -- Find3M Report --------------------------------------------------------------- 2008-07-03 23:28:27 0 d-------- C:\Documents and Settings\Ramesh\Application Data\AdobeUM 2008-07-02 22:36:23 0 d-------- C:\Program Files\Spyware Doctor 2008-06-21 15:39:15 0 d-------- C:\Program Files\Mozilla Thunderbird 2008-06-02 04:30:00 0 d-------- C:\Program Files\eSoftware 2008-06-01 23:06:16 0 d-------- C:\Documents and Settings\Ramesh\Application Data\Malwarebytes 2008-06-01 23:06:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-23 23:18:44 0 d-------- C:\Program Files\Lavasoft 2008-05-23 23:17:55 0 d-------- C:\Program Files\Common Files 2008-05-23 23:17:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-11 06:53:22 0 d-------- C:\Program Files\Trend Micro -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM] "Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [] "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [06/11/2008 10:11 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 09:00 AM] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 05:45 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Leash Ticket Manager.lnk - C:\Program Files\MIT\Kerberos\bin\leash32.exe [9/17/2004 2:53:54 AM] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 4:15:54 AM] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ramesh^Start Menu^Programs^Startup^Password Safe.lnk] path=C:\Documents and Settings\Ramesh\Start Menu\Programs\Startup\Password Safe.lnk backup=C:\WINDOWS\pss\Password Safe.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "CVPND"=2 (0x2) "AOL ACS"=2 (0x2) "OracleServiceDB1"=2 (0x2) "OracleOraWBClientCache"=3 (0x3) "OracleOraToolsClientCache"=3 (0x3) "OracleOraHome10TNSListener"=2 (0x2) "OracleOraHome10SNMPPeerMasterAgent"=3 (0x3) "OracleOraHome10SNMPPeerEncapsulator"=3 (0x3) "OracleOraHome10iSQL*Plus"=2 (0x2) "OracleOraComp10ProcessManager"=2 (0x2) "OracleDBConsoleDB1"=2 (0x2) "OracleCSService"=2 (0x2) "iPod Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19d51ec4-f9cf-11db-ac3a-00904bb919e4}] AutoRun\command- E:\LaunchU3.exe -a -- Hosts ----------------------------------------------------------------------- 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 8025 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-07-03 23:37:59 ------------ EXTRA: ------------ Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel® Celeron® M processor 1.30GHz Percentage of Memory in Use: 44% Physical Memory (total/avail): 990.42 MiB / 552.71 MiB Pagefile Memory (total/avail): 1800.91 MiB / 1272.32 MiB Virtual Memory (total/avail): 2047.88 MiB / 1922.45 MiB C: is Fixed (NTFS) - 37.25 GiB total, 7.48 GiB free. D: is CDROM (Unformatted) \\.\PHYSICALDRIVE0 - ST94019A - 37.26 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 37.25 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. FirstRunDisabled is set. AntiVirusDisableNotify is set. FirewallDisableNotify is set. FW: McAfee Personal Firewall v (McAfee) AV: McAfee VirusScan v (McAfee) Outdated [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer" "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger" "C:\\j2sdk1.4.2_07\\bin\\java.exe"="C:\\j2sdk1.4.2_07\\bin\\java.exe:*:Enabled:java" "C:\\j2sdk1.4.2_07\\jre\\bin\\javaw.exe"="C:\\j2sdk1.4.2_07\\jre\\bin\\javaw.exe:*:Enabled:javaw" "C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Disabled:Earthlink" "C:\\bea\\jdk141_03\\bin\\javaw.exe"="C:\\bea\\jdk141_03\\bin\\javaw.exe:*:Disabled:javaw" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server" "C:\\Program Files\\Java\\jdk1.5.0_06\\jre\\bin\\java.exe"="C:\\Program Files\\Java\\jdk1.5.0_06\\jre\\bin\\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary" "C:\\Program Files\\Abacast\\Abaclient.exe"="C:\\Program Files\\Abacast\\Abaclient.exe:*:Enabled:Abaclient" "C:\\Program Files\\Java\\jdk1.5.0_06\\bin\\java.exe"="C:\\Program Files\\Java\\jdk1.5.0_06\\bin\\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary" "C:\\Program Files\\Java\\jdk1.5.0_06\\jre\\bin\\javaw.exe"="C:\\Program Files\\Java\\jdk1.5.0_06\\jre\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary" "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk" "C:\\Program Files\\OPNET EDU\\9.1.A\\sys\\pc_intel_win32\\bin\\itguru.exe"="C:\\Program Files\\OPNET EDU\\9.1.A\\sys\\pc_intel_win32\\bin\\itguru.exe:*:Enabled:OPNET 9.1.A" "C:\\Documents and Settings\\Ramesh\\Local Settings\\Temp\\OraInstall2006-12-31_11-02-58AM\\jre\\1.4.2\\bin\\javaw.exe"="C:\\Documents and Settings\\Ramesh\\Local Settings\\Temp\\OraInstall2006-12-31_11-02-58AM\\jre\\1.4.2\\bin\\javaw.exe:*:Enabled:javaw" "C:\\oracle\\product\\10.1.0\\OraHome10\\jdk\\jre\\bin\\java.exe"="C:\\oracle\\product\\10.1.0\\OraHome10\\jdk\\jre\\bin\\java.exe:*:Enabled:java" "C:\\oracle\\product\\10.1.0\\OraHome10\\jdk\\jre\\bin\\javaw.exe"="C:\\oracle\\product\\10.1.0\\OraHome10\\jdk\\jre\\bin\\javaw.exe:*:Enabled:javaw" "C:\\Documents and Settings\\Ramesh\\Local Settings\\Temp\\OraInstall2006-12-31_02-49-19PM\\jre\\1.4.2\\bin\\javaw.exe"="C:\\Documents and Settings\\Ramesh\\Local Settings\\Temp\\OraInstall2006-12-31_02-49-19PM\\jre\\1.4.2\\bin\\javaw.exe:*:Enabled:javaw" "C:\\Documents and Settings\\Ramesh\\Local Settings\\Temp\\OraInstall2007-01-09_10-49-26PM\\jre\\bin\\javaw.exe"="C:\\Documents and Settings\\Ramesh\\Local Settings\\Temp\\OraInstall2007-01-09_10-49-26PM\\jre\\bin\\javaw.exe:*:Enabled:javaw" "C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player" "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer" "C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Disabled:Azureus" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.0" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Disabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger" "C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe"="C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe:*:Enabled:Rhapsody Media Player" "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent" "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Ramesh\Application Data CATALINA_HOME=C:\jakarta-tomcat-4.1.31 CLASSPATH=.;C:\Program Files\MySQL\Connectors\mysql-connector-java-3.1.7.zip;C:\Program Files\MySQL\Connectors\mysql-connector-java-3.1.7; CLIENTNAME=Console COLLECTIONID=COL8143 CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=DESIPC ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HMSERVER=https://wwss1proa.cce.hp.com/wuss/servlet/WUSSServlet HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Ramesh ITEMID=dj-22741-15 JAVA_HOME=C:\Program Files\Java\jdk1.5.0_06 LANG=1033 LOGONSERVER=\\DESIPC NUMBER_OF_PROCESSORS=1 OS=Windows_NT OSVER=winXPH Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\MIT\Kerberos\Bin;C:\Program Files\GNU\GnuPG\pub;C:\Sun\AppServer\bin;C:\Program Files\GNU\GnuPG PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PERL5LIB=C:\oracle\product\10.1.0\OraHome10\perl\lib\5.6.1\MSWin32-x86;C:\oracle\product\10.1.0\OraHome10\perl\lib\5.6.1;C:\oracle\product\10.1.0\OraHome10\perl\5.6.1\lib\MSWin32-x86;C:\oracle\product\10.1.0\OraHome10\perl\site\5.6.1;C:\oracle\product\10.1.0\OraHome10\perl\site\5.6.1\lib;C:\oracle\product\10.1.0\OraHome10\sysman\admin\scripts PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0d06 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip SESSIONID=1135039434941htx6056af28ad:1088efb2b0c:69ab SESSIONNAME=Console SWUTVER=1.0.3.1 SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Ramesh\LOCALS~1\Temp TIMEOUT=0 TMP=C:\DOCUME~1\Ramesh\LOCALS~1\Temp TOOLPATH=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm UPDATEDIR=C:\DOCUME~1\Ramesh\LOCALS~1\Temp\radACA84.tmp USERDOMAIN=DESIPC USERNAME=Ramesh USERPROFILE=C:\Documents and Settings\Ramesh VERSION=3.0.5.001 windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Ramesh (admin) Suja (admin) LocalAdmin (admin) Hema Papaji And Amma -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Abacast Client --> C:\PROGRA~1\Abacast\UNWISE.EXE C:\PROGRA~1\Abacast\client.LOG Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24} Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002} Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log Cisco Systems VPN Client 4.8.01.0300 --> MsiExec.exe /X{D25122BC-A60E-4663-B602-B01718F12044} Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE} Conexant AC-Link Audio --> CIAunwdm.exe Desktop Doctor --> "C:\Program Files\Support.com\providerComcast\Uninstall.exe" /c "Remove Desktop Doctor?" DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER eCommerce --> C:\ECOM_J~1\UNWISE.EXE C:\ECOM_J~1\INSTALL.LOG Endorsor Verifier (remove only) --> C:\Program Files\Endorsor Verifier\Uninst.exe GNU Privacy Guard --> "C:\Program Files\GNU\GnuPG\uninst-gnupg.exe" GnuPG For Windows --> "C:\Program Files\GNU\GnuPG\gpg4win-uninstall.exe" Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe" H264 Codecs --> MsiExec.exe /X{A3A1A5F0-0B94-4E69-B3E1-92F25E31BEE9} HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878} HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D} IBM WebSphere Business Modeler Advanced Version 6.0.2 --> C:\Program Files\IBM\WebSphere\Modeler6\_uninst\uninstaller.exe Information Security --> C:\IS_JITL\UNWISE.EXE C:\IS_JITL\INSTALL.LOG Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582 InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL Intro to Database Management --> C:\IDB_JITL\UNWISE.EXE C:\IDB_JITL\INSTALL.LOG iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4} J2SE Development Kit 5.0 Update 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150060} J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060} J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090} Java 2 Runtime Environment, SE v1.4.2_07 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142070} Java 2 SDK, SE v1.4.2_07 --> MsiExec.exe /I{35A3A4F4-B792-11D6-A78A-00B0D0142070} Java Platform, Enterprise Edition 5 SDK --> "C:\Sun\AppServer\uninstall.exe" -javahome "C:\Sun\AppServer\jdk" LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8} Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3} Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80} Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7} Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9} Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9} Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" MIT Kerberos for Windows 2.6.5 --> MsiExec.exe /I{BC1AAD0F-BF94-440F-BCBF-E44533C5E417} Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe Mozilla Thunderbird (2.0.0.12) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall MySQL Query Browser 1.1 --> MsiExec.exe /X{6BB15A87-59D9-46E8-87DF-0914BBCBFF44} MySQL Server 5.0 --> MsiExec.exe /I{C195FD06-78E3-4CD9-87F0-2EF3FE5EB7AD} OLYMPUS CAMEDIA Master 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.1 OPNET IT Guru Academic Edition 9.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DBFA98B2-1D1D-488C-B80D-26057DA9A492}\Setup.exe" Add_Remove OPNET Model Library Academic Edition 9.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23532305-7458-4592-9D3A-18F15803973A}\setup.exe" Add_Remove Oracle JInitiator 1.3.1.17 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Oracle\JInitiator 1.3.1.17\Uninst.isu" Philips PC Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F48C6EA5-3B43-11D6-86A6-0050BA0259A2}\setup.exe" -l0x9 -removeonly Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA} QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A} RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19} Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} Samsung ML-2510 Series --> C:\Program Files\Samsung\Samsung ML-2510 Series\Install\Setup.exe /R Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe" Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" Serif PhotoPlus 6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0609D0AF-1382-42BE-81DB-CF30F8B0F6E2}\Setup.exe" -l0x9 Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82} SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_3080103C\HXFSETUP.EXE -U -Ihpm30805.inf Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3} SopCast 2.0.4 --> C:\Program Files\SopCast\uninst.exe Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715} VideoLAN VLC media player 0.8.5 --> C:\Program Files\VideoLAN\VLC\uninstall.exe Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe" Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe WinSCP 3.8.2 --> "C:\Program Files\WinSCP3\unins000.exe" WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG -- Application Event Log ------------------------------------------------------- Event Record #/Type45718 / Error Event Submitted/Written: 07/03/2008 01:20:15 AM Event ID/Source: 8193 / VSS Event Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206. Event Record #/Type45717 / Error Event Submitted/Written: 07/03/2008 01:20:15 AM Event ID/Source: 4609 / EventSystem Event Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070422 from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. Event Record #/Type45704 / Error Event Submitted/Written: 07/02/2008 10:16:21 PM Event ID/Source: 8193 / VSS Event Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206. Event Record #/Type45703 / Error Event Submitted/Written: 07/02/2008 10:16:21 PM Event ID/Source: 4609 / EventSystem Event Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070422 from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. Event Record #/Type45677 / Error Event Submitted/Written: 06/28/2008 02:47:38 PM Event ID/Source: 8193 / VSS Event Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type82414 / Error Event Submitted/Written: 07/03/2008 11:28:19 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Event Record #/Type82408 / Error Event Submitted/Written: 07/03/2008 11:25:08 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Event Record #/Type82407 / Error Event Submitted/Written: 07/03/2008 11:23:15 PM Event ID/Source: 7001 / Service Control Manager Event Description: The Computer Browser service depends on the Workstation service which failed to start because of the following error: %%1058 Event Record #/Type82406 / Error Event Submitted/Written: 07/03/2008 11:23:15 PM Event ID/Source: 7001 / Service Control Manager Event Description: The Computer Browser service depends on the Workstation service which failed to start because of the following error: %%1058 Event Record #/Type82405 / Error Event Submitted/Written: 07/03/2008 11:23:14 PM Event ID/Source: 7001 / Service Control Manager Event Description: The Computer Browser service depends on the Workstation service which failed to start because of the following error: %%1058 -- End of Deckard's System Scanner: finished at 2008-07-03 23:37:59 ------------ |
|
|
|
|
Jul 4 2008, 06:07 AM
Post
#4
|
|
|
New Member Group: Authentic Member Posts: 6 Joined: 28-June 08 Member No.: 79,905 Operating System: WINDOWS XP SP 2 |
Hello again.
I have a Spyware Doctor log that shows the Virtumonde infection instances. Please find it in the attached logfile. One other thing: I am not sure which software told me this, but the suspicious program seems to be one 'esoftware', which you can see in the DSS log as well. I hope this provides additional useful information. Many thanks for your help. --singseeker.
Attached File(s)
|
|
|
|
|
Jul 4 2008, 07:37 AM
Post
#5
|
|
|
Always Happy Group: Malware Team Posts: 3,653 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04 |
Hi
Looks like a leftover key. And we shall remove that eSoftware folder. BTW, you seem to be missing XP updates. If you already have Combofix, please delete this copy and download it again as it's being updated regularly. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once Recovery Console is installed, you should see a blue screen prompt like the one below:  Click Yes to allow Combofix to continue scanning for malware. When done, a log will be produced. Please post that log and a new HijackThis log in your next reply. 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. In your next reply post: ComboFix.txt New HijackThis log taken after the above scan has run |
|
|
|
|
Jul 4 2008, 08:22 AM
Post
#6
|
|
|
New Member Group: Authentic Member Posts: 6 Joined: 28-June 08 Member No.: 79,905 Operating System: WINDOWS XP SP 2 |
Thanks for the response.
Should I update XP before running ComboFix or does it not matter? --singseeker |
|
|
|
|
Jul 4 2008, 09:01 AM
Post
#7
|
|
|
Always Happy Group: Malware Team Posts: 3,653 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04 |
Dont update yet.
|
|
|
|
|
Jul 4 2008, 03:17 PM
Post
#8
|
|
|
New Member Group: Authentic Member Posts: 6 Joined: 28-June 08 Member No.: 79,905 Operating System: WINDOWS XP SP 2 |
Hello. Please find below the logs as requested. There are three logs (Combofix.txt, Hijackthis.log, Log.txt) in that order. I had disabled Spyware Doctor, but did not manage to disable McAfee. Perhaps because of this, I am not sure, but I got a battery of pop ups from the antivirus software. One particular alert was about having blocked a 'high risk' trojan! I was a little scared to proceed, but went ahead and installed the recovery console as well as the combofix utility. Thereafter, I also got a quarantine alert for pv.cfexe just before combofix started to run! If you need any additional information, I'll be glad to answer. Many thanks yet again. --singseeker COMBOFIX.TXT: --------------------------- ComboFix 08-07-04.1 - Ramesh 2008-07-04 16:33:24.1 - NTFSx86 Running from: C:\Documents and Settings\Ramesh\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Ramesh\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Ramesh\Application Data\macromedia\Flash Player\#SharedObjects\ALNDCDVL\www.broadcaster.com C:\Documents and Settings\Ramesh\Application Data\macromedia\Flash Player\#SharedObjects\ALNDCDVL\www.broadcaster.com\played_list.sol C:\Documents and Settings\Ramesh\Application Data\macromedia\Flash Player\#SharedObjects\ALNDCDVL\www.broadcaster.com\video_queue.sol C:\Documents and Settings\Ramesh\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Ramesh\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol . ((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 ))))))))))))))))))))))))))))))) . 2008-07-03 23:30 . 2008-07-03 23:30 <DIR> d |