Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93086 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Yahoo! Account Infected/Hacked!

Started by vijay.gupta , Sep 18 2010 08:38 AM

  • This topic is locked This topic is locked
23 replies to this topic

#1 vijay.gupta

vijay.gupta

    Silver Member

  • Authentic Member
  • PipPipPip
  • 400 posts

Posted 18 September 2010 - 08:38 AM

My Yahoo! Mail account got hacked/infected by any malware (I don't know if it is hacked/infected by virus etc) yesterday due to which all the mails in my sent items folder got deleted automatically and random mails got automatically sent to some of my contacts. Can anyone please let me know if it is the action of any malware or hacker? Also, can anyone please let me know if the sent items can be retrieved.

    Advertisements

Register to Remove

#2 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 23 September 2010 - 01:25 AM

Hello,

I will be helping you remove malware on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Do not install/uninstall anything on your computer unless advised.
  • Do not run any other scanning tools other than those instructed for you to use.
  • Follow the instructions on the order they are given.
  • Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  • If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  • If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 48 hours then the topic will be closed.
  • And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

_________________________________________________


You will need to right click and choose "Run as Administrator" to run the tools we will use.


Try looking at your Yahoo's trash bin if the emails are still there.

But first, you need to change all your online password accounts from a known clean computer.

Now for the logs:

Please download DDS by sUBs from one of the following links and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel.
  • Browse for the attachment file you want to upload, then click the green Upload button.
  • Once it has uploaded, click the Manage Current Attachments drop down box.
  • Click on to insert the attachment into your post
Please post both DDS logs in your next reply.

--Next--

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

To post in your next reply:
1. DDS logs.
2. RootkitUnhooker LE log.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

#3 vijay.gupta

vijay.gupta

    Silver Member

  • Authentic Member
  • PipPipPip
  • 400 posts

Posted 23 September 2010 - 01:54 AM

Thanks Inzanity for the response. I already changed the password from the same computer. I will change it again from known clean computer as per your instructions. I also already checked trash folder and mails are not there. I will get back to you with the info you asked. Please let me know if it is consequence of my account being hacked or computer being attacked by virus etc?

#4 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 23 September 2010 - 01:57 AM

Hi, That I cannot tell you for certain as there may be other reasons why your sent items folder was emptied.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

#5 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 23 September 2010 - 02:03 AM

You might also want to report your account as being compromised to Yahoo: https://edit.yahoo.com/forgotroot/

Edit: Do this also on the clean computer

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

#6 vijay.gupta

vijay.gupta

    Silver Member

  • Authentic Member
  • PipPipPip
  • 400 posts

Posted 23 September 2010 - 02:08 AM

Do you mean that you will only be in a position to tell that after troubleshooting this case (after getting the required docs from me)? Also, there was one more thing...some mail got sent to some of my contacts automatically...does the copy of that mail help?

#7 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 23 September 2010 - 02:15 AM

Hi, Don't open those emails as they may also contain some malware. The logs from DDS and RKU would suffice for now. Am here to help you get rid of any malicious software that may be residing in your pc and will also try to determine the cause of your emptied sent items. How about your inbox? Are they intact?

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

#8 vijay.gupta

vijay.gupta

    Silver Member

  • Authentic Member
  • PipPipPip
  • 400 posts

Posted 23 September 2010 - 02:22 AM

Yes, they are intact

#9 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 23 September 2010 - 02:26 AM

:thumbup: The infection may have deleted your sent items folder in order for you not to be able to track where it's sending spam. Please post the logs when you're ready and we'll go from there.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

#10 vijay.gupta

vijay.gupta

    Silver Member

  • Authentic Member
  • PipPipPip
  • 400 posts

Posted 23 September 2010 - 10:42 PM

Below are the required logs. Please let me know if anything else is required:

Can I remove DDS and Rootkit Unhooker from my system now?

Also, I have re-enabled the Norton Anti-virus after doing this.

DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Vijay at 9:55:59.40 on 24/09/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.985.241 [GMT 5.5:30]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ChgService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NetWorx\networx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MMX300G 3G USB Manager\USB Modem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NetWorx] "c:\program files\networx\networx.exe" /auto
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: {4C79B948-5152-40F6-8156-E431958DB50A} = 218.248.255.193 218.248.240.181
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vijay\applic~1\mozilla\firefox\profiles\9a6tfvkb.default\
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-5-24 2234800]
R1 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-8-26 38976]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2010-8-26 135168]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-5-24 36368]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-5-24 110032]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-5-24 673456]
R3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2010-8-26 103424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-22 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100921.003\naveng.sys [2010-9-22 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100921.003\navex15.sys [2010-9-22 1362608]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-26 1684736]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]

=============== Created Last 30 ================

2010-09-16 07:01:09 0 d-----w- c:\program files\NSEIT
2010-09-16 06:53:49 0 d-----w- c:\windows\system32\URTTemp
2010-09-12 15:01:36 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-09-12 15:01:36 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-09-12 15:01:36 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2010-09-12 15:01:36 28160 ----a-w- c:\windows\system32\irmon.dll
2010-09-12 15:01:35 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2010-09-12 15:01:35 151552 ----a-w- c:\windows\system32\irftp.exe
2010-09-03 16:54:32 0 d-----w- c:\program files\GRETECH
2010-09-01 03:29:20 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-08-31 19:31:15 0 d-----w- c:\windows\system32\scripting
2010-08-31 19:31:15 0 d-----w- c:\windows\l2schemas
2010-08-31 19:31:14 0 d-----w- c:\windows\system32\en
2010-08-31 19:31:14 0 d-----w- c:\windows\system32\bits
2010-08-31 18:30:59 67866 ------w- c:\windows\system32\drivers\netwlan5.img
2010-08-31 18:29:08 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-08-30 18:41:55 0 d-----w- c:\program files\MMX300G 3G USB Manager
2010-08-30 05:00:29 376 ----a-w- c:\windows\ODBC.INI
2010-08-30 05:00:18 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-08-30 04:59:22 0 d-----w- c:\program files\Microsoft ActiveSync
2010-08-30 04:58:27 0 d-----w- c:\windows\SHELLNEW
2010-08-30 04:38:52 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-30 04:38:52 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-08-30 04:38:51 991232 -c----w- c:\windows\system32\dllcache\ieframe.dll.mui
2010-08-30 04:38:51 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-08-30 04:38:51 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-08-30 04:38:51 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-08-30 04:38:51 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-08-30 04:38:51 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-08-30 04:38:51 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-08-30 04:35:36 0 d-----w- c:\windows\network diagnostic
2010-08-29 10:43:39 0 d-----w- c:\program files\MagicISO
2010-08-29 08:56:18 0 d-----w- c:\program files\uTorrent
2010-08-29 08:56:11 0 d-----w- c:\docume~1\vijay\applic~1\uTorrent
2010-08-28 17:45:02 0 d-----w- c:\windows\ServicePackFiles
2010-08-28 17:44:13 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-08-28 08:04:03 0 d-----w- c:\documents and settings\vijay\nimbuzz
2010-08-28 08:03:55 0 d-----w- c:\program files\Nimbuzz
2010-08-28 07:55:07 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-28 07:40:10 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-08-27 22:28:14 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-27 22:28:14 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-08-27 22:23:51 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-27 22:19:46 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-27 22:18:43 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-27 22:16:56 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-27 22:15:07 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-08-27 22:15:07 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-08-27 21:47:29 0 d-sh--w- c:\documents and settings\vijay\UserData
2010-08-27 21:43:28 2516 ----a-w- c:\windows\system32\drivers\default.bin
2010-08-27 21:43:28 2516 ----a-w- c:\windows\system32\default.bin
2010-08-27 21:42:45 0 d-----w- c:\program files\CheckPoint
2010-08-27 07:07:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-27 07:07:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-08-27 06:50:29 0 d-----w- c:\program files\K-Lite Codec Pack
2010-08-27 04:58:58 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 20:18:32 0 d-----w- c:\windows\system32\PreInstall
2010-08-26 20:18:30 0 d--h--w- c:\windows\$hf_mig$
2010-08-26 20:04:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-26 19:36:28 0 d-----w- C:\Downloads
2010-08-26 19:32:51 0 d-----w- c:\program files\CCleaner
2010-08-26 19:31:44 0 d-----w- c:\docume~1\vijay\applic~1\Free Download Manager
2010-08-26 19:31:40 0 d-----w- c:\program files\Free Download Manager
2010-08-26 19:31:40 0 d-----w- c:\docume~1\alluse~1\applic~1\FreeDownloadManager.ORG
2010-08-26 18:55:29 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-08-26 07:17:06 0 ----a-w- c:\windows\vpc32.INI
2010-08-26 07:13:09 0 d-----w- c:\program files\VideoLAN
2010-08-26 07:12:36 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
2010-08-26 07:12:35 0 d-----w- c:\program files\NetWorx
2010-08-26 07:12:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SoftPerfect
2010-08-26 07:11:09 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-26 07:11:09 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-26 07:11:09 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-26 07:11:09 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-26 07:11:06 0 d-----w- c:\windows\RegisteredPackages
2010-08-26 07:10:59 0 d-----w- c:\program files\Symantec
2010-08-26 07:10:52 0 d-----w- c:\program files\Symantec AntiVirus
2010-08-26 07:10:52 0 d-----w- c:\program files\common files\Symantec Shared
2010-08-26 07:10:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-08-26 05:45:52 940794 ----a-w- c:\windows\system32\LoopyMusic.wav
2010-08-26 05:45:52 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
2010-08-26 03:57:40 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-08-26 03:56:56 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-08-26 03:56:42 0 d-----w- c:\program files\Realtek
2010-08-26 03:55:32 0 d-----w- c:\windows\system32\ReinstallBackups
2010-08-26 03:55:30 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-08-26 03:55:26 0 d-----w- C:\Intel
2010-08-26 03:53:52 0 d-----w- c:\program files\MSXML 4.0
2010-08-26 03:53:46 0 d-----w- C:\TempEI4
2010-08-25 22:31:57 0 d-----w- c:\program files\common files\ODBC
2010-08-25 22:31:51 0 d-----w- c:\program files\common files\SpeechEngines
2010-08-25 22:31:04 0 d-----r- c:\documents and settings\all users\Documents
2010-08-25 17:15:08 0 d-sh--w- c:\documents and settings\all users\DRM
2010-08-25 17:14:52 0 d--h--w- c:\program files\WindowsUpdate
2010-08-25 17:13:02 0 d-----w- c:\program files\common files\MSSoap
2010-08-25 17:11:05 0 d-----w- c:\program files\Online Services
2010-08-25 17:10:59 0 d-----w- c:\program files\Messenger
2010-08-25 17:10:49 0 d-----w- c:\program files\MSN Gaming Zone
2010-08-25 17:09:37 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-08-25 17:11:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

============= FINISH: 9:56:07.75 ===============


Rootkit Unhooker Report:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xF6C39000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6316032 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA97F2000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 5263360 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF325000 C:\WINDOWS\System32\igxpdx32.DLL 3522560 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xBF060000 C:\WINDOWS\System32\igxpdv32.DLL 2904064 bytes (Intel Corporation, Component GHAL Driver)
0xF6951000 C:\WINDOWS\system32\DRIVERS\fw.sys 2236416 bytes (Check Point Software Technologies, -)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA7F85000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100921.003\navex15.sys 1359872 bytes (Symantec Corporation, AV Engine)
0xA8FE3000 C:\WINDOWS\System32\drivers\vpn.sys 675840 bytes (Check Point Software Technologies, -)
0xF72CE000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA935C000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA93F7000 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 401408 bytes (Symantec Corporation, SPBBC Driver)
0xA92FE000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF6869000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA9504000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA974E000 C:\Program Files\Symantec AntiVirus\savrt.sys 360448 bytes (Symantec Corporation, AutoProtect)
0xA88A7000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xA8379000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 245760 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xA94A3000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 241664 bytes (Symantec Corporation, Network Dispatch Driver)
0xF68EF000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7412000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA8A3E000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF72A1000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA7B29000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA93CC000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF6BFD000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA947B000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF73BC000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA94DE000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA7C47000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA97CE000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6BD9000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6BA2000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA9459000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA972C000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 139264 bytes (Symantec Corporation, Symantec Event Library)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7384000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF73E2000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xA92E1000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xF691F000 C:\WINDOWS\system32\DRIVERS\vnasc.sys 110592 bytes (Check Point Software Technologies, -)
0xA7AED000 C:\WINDOWS\system32\DRIVERS\cmnsusbser.sys 106496 bytes (Mobile Connector, USB Modem/Serial Device Driver)
0xF7287000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF73A4000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA92B8000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF735B000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF693A000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA8892000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA7F71000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100921.003\naveng.sys 81920 bytes (Symantec Corporation, AV Engine)
0xF6BC5000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xA9718000 C:\Program Files\Symantec AntiVirus\Savrtpel.sys 81920 bytes (Symantec Corporation, SAVRTPEL)
0xF6C25000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA955D000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xF7372000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7401000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xA92D0000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xA9DBF000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7671000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7651000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7751000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7681000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA8AC3000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7771000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7581000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7641000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF76A1000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7561000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7621000 C:\WINDOWS\system32\Drivers\pssdk42.sys 49152 bytes (microOLAP Technologies LTD, PSSDK Driver Protocol v4.2 32bit)
0xF76C1000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA9DDF000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7661000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7551000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF76B1000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7541000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76F1000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xA8B6B000 C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 40960 bytes (Symantec Corporation, Redirector Filter Driver)
0xF76D1000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7571000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7781000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7691000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF75F1000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA9DEF000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA7BE4000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xA9DAF000 C:\WINDOWS\System32\drivers\omdrv.sys 36864 bytes (Check Point Software Technologies, -)
0xF7591000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7611000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7901000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF78E9000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78D9000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7829000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7869000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF77C1000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7881000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7831000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7851000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7821000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF78C1000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF78E1000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF77C9000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7841000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7849000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7839000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7929000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA7F49000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF7A0D000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA919C000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF79ED000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7951000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA9D0F000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF68D7000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA9D13000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF79FD000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA97AE000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7A81000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A45000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7AC3000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7A7B000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A41000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A87000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A6F000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7A8B000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A57000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7A5D000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A43000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C0B000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BA5000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7BB2000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B09000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

Attached Files


Edited by vijay.gupta, 23 September 2010 - 10:49 PM.

    Advertisements

Register to Remove

#11 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 23 September 2010 - 11:14 PM

Hi,

Please do the following:

Please go to Virus Total
  • Click on Browse.
  • On the File Upload window, copy/paste the text below into the File name box or by navigating (browse) to this file:
    C:\WINDOWS\system32\ChgService.exe
  • Click Send file. Allow the file to be scanned. If it says already scanned -- click Reanalyze Now
Please post the results or Virus Total's report link in your next reply.

--Next--

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs
--------------------------------------------------------------------
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Posted Image

Click on Yes, to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

To post in your next reply:
1. Virus Total log.
2. Combofix log.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

#12 vijay.gupta

vijay.gupta

    Silver Member

  • Authentic Member
  • PipPipPip
  • 400 posts

Posted 24 September 2010 - 01:56 AM

Ok...i will do this..can i uninstall/remove dds and rootkit unhooker from my computer?

#13 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 24 September 2010 - 02:10 AM

Hi, Leave them as we may be needing them. We'll clean up all the tools once we're done.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

#14 vijay.gupta

vijay.gupta

    Silver Member

  • Authentic Member
  • PipPipPip
  • 400 posts

Posted 24 September 2010 - 08:33 PM

Please let me know if anything else is required:

VT Report Link:

http://www.virustota...375d-1285356157


Combofix log:

ComboFix 10-09-23.01 - Vijay 25/09/2010 7:34.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.985.381 [GMT 5.5:30]
Running from: c:\downloads\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
.

2010-09-16 07:01 . 2010-09-16 07:01 766 ----a-r- c:\documents and settings\Vijay\Application Data\Microsoft\Installer\{61827F1D-1DE4-420C-8FF0-D3E864FD233A}\_4ae13d6c.exe
2010-09-16 07:01 . 2010-09-16 07:01 766 ----a-r- c:\documents and settings\Vijay\Application Data\Microsoft\Installer\{61827F1D-1DE4-420C-8FF0-D3E864FD233A}\_2cd672ae.exe
2010-09-16 07:01 . 2010-09-16 07:01 766 ----a-r- c:\documents and settings\Vijay\Application Data\Microsoft\Installer\{61827F1D-1DE4-420C-8FF0-D3E864FD233A}\_294823.exe
2010-09-16 07:01 . 2010-09-16 07:01 766 ----a-r- c:\documents and settings\Vijay\Application Data\Microsoft\Installer\{61827F1D-1DE4-420C-8FF0-D3E864FD233A}\_18be6784.exe
2010-09-16 07:01 . 2010-09-16 07:01 -------- d-----w- c:\program files\NSEIT
2010-09-16 06:55 . 2010-09-20 17:01 -------- d-----w- c:\documents and settings\Vijay\Local Settings\Application Data\ApplicationHistory
2010-09-16 06:53 . 2010-09-16 06:54 -------- d-----w- c:\windows\system32\URTTemp
2010-09-12 15:01 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-09-12 15:01 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-09-12 15:01 . 2008-04-14 00:11 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2010-09-12 15:01 . 2008-04-14 00:11 28160 ----a-w- c:\windows\system32\irmon.dll
2010-09-12 15:01 . 2008-04-14 00:12 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2010-09-12 15:01 . 2008-04-14 00:12 151552 ----a-w- c:\windows\system32\irftp.exe
2010-09-10 19:45 . 2010-09-10 19:45 2826192 ----a-w- c:\documents and settings\Vijay\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-09-04 06:51 . 2010-09-04 06:51 -------- d-----w- c:\documents and settings\Vijay\Application Data\vlc
2010-09-03 16:55 . 2010-09-03 16:55 -------- d-----w- c:\documents and settings\Vijay\Application Data\GRETECH
2010-09-03 16:54 . 2010-09-03 16:54 -------- d-----w- c:\program files\GRETECH
2010-09-01 04:01 . 2010-09-01 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-09-01 03:29 . 2009-08-13 15:16 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-08-31 19:31 . 2010-08-31 19:31 -------- d-----w- c:\windows\system32\scripting
2010-08-31 19:31 . 2010-08-31 19:31 -------- d-----w- c:\windows\l2schemas
2010-08-31 19:31 . 2010-08-31 19:31 -------- d-----w- c:\windows\system32\en
2010-08-31 19:31 . 2010-08-31 19:31 -------- d-----w- c:\windows\system32\bits
2010-08-31 18:31 . 2004-08-03 16:59 25471 ------w- c:\windows\system32\drivers\watv10nt.sys
2010-08-31 18:31 . 2004-08-03 16:59 22271 ------w- c:\windows\system32\drivers\watv06nt.sys
2010-08-31 18:31 . 2004-08-03 16:59 11935 ------w- c:\windows\system32\drivers\wadv11nt.sys
2010-08-31 18:31 . 2004-08-03 16:59 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys
2010-08-31 18:31 . 2004-08-03 16:59 11807 ------w- c:\windows\system32\drivers\wadv07nt.sys
2010-08-31 18:31 . 2004-08-03 16:59 11295 ------w- c:\windows\system32\drivers\wadv08nt.sys
2010-08-31 18:31 . 2004-08-03 17:11 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2010-08-31 18:31 . 2004-08-03 17:11 13240 ------w- c:\windows\system32\drivers\slwdmsup.sys
2010-08-31 18:31 . 2004-08-03 17:11 404990 ------w- c:\windows\system32\drivers\slntamr.sys
2010-08-31 18:31 . 2004-08-03 17:11 129535 ------w- c:\windows\system32\drivers\slnt7554.sys
2010-08-31 18:31 . 2004-08-03 16:59 166912 ------w- c:\windows\system32\drivers\s3gnbm.sys
2010-08-31 18:31 . 2004-08-03 17:11 13776 ------w- c:\windows\system32\drivers\recagent.sys
2010-08-31 18:30 . 2004-08-03 17:11 180360 ------w- c:\windows\system32\drivers\ntmtlfax.sys
2010-08-31 18:30 . 2004-08-03 16:59 1897408 ------w- c:\windows\system32\drivers\nv4_mini.sys
2010-08-31 18:30 . 2001-08-23 15:00 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2010-08-31 18:30 . 2001-08-23 15:00 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2010-08-31 18:30 . 2004-08-03 17:11 126686 ------w- c:\windows\system32\drivers\mtlmnt5.sys
2010-08-31 18:30 . 2004-08-03 17:11 1309184 ------w- c:\windows\system32\drivers\mtlstrm.sys
2010-08-31 18:30 . 2004-08-03 16:59 452736 ------w- c:\windows\system32\drivers\mtxparhm.sys
2010-08-31 18:30 . 2004-08-03 17:11 11868 ------w- c:\windows\system32\drivers\mdmxsdk.sys
2010-08-31 18:30 . 2004-08-03 17:11 1041536 ------w- c:\windows\system32\drivers\hsfdpsp2.sys
2010-08-31 18:30 . 2004-08-03 17:11 685056 ------w- c:\windows\system32\drivers\hsfcxts2.sys
2010-08-31 18:30 . 2004-08-03 17:11 220032 ------w- c:\windows\system32\drivers\hsfbs2s2.sys
2010-08-30 18:41 . 2010-08-30 18:41 -------- d-----w- c:\program files\MMX300G 3G USB Manager
2010-08-30 05:00 . 2003-06-18 12:01 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-08-30 05:00 . 2003-06-18 12:01 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-08-30 04:59 . 2010-08-30 04:59 -------- d-----w- c:\program files\Microsoft.NET
2010-08-30 04:59 . 2010-08-30 04:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-08-30 04:58 . 2010-08-30 04:59 -------- d-----w- c:\windows\SHELLNEW
2010-08-30 04:55 . 2010-08-30 04:55 -------- d-----r- C:\MSOCache
2010-08-30 04:38 . 2010-06-24 12:15 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-30 04:38 . 2010-06-24 12:15 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-08-30 04:38 . 2010-06-24 12:15 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-08-30 04:38 . 2010-06-24 12:15 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-08-30 04:38 . 2010-06-24 12:15 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-08-30 04:38 . 2010-06-24 12:15 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-08-30 04:38 . 2010-06-23 12:06 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-08-30 04:38 . 2010-02-22 22:04 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-08-30 02:19 . 2010-08-30 02:19 -------- d-----w- c:\documents and settings\Vijay\Application Data\Media Player Classic
2010-08-29 10:43 . 2010-08-29 10:43 -------- d-----w- c:\program files\MagicISO
2010-08-29 09:09 . 2010-08-29 09:09 -------- d-----w- c:\documents and settings\Vijay\Local Settings\Application Data\Identities
2010-08-29 08:56 . 2010-08-29 09:26 -------- d-----w- c:\program files\uTorrent
2010-08-29 08:56 . 2010-08-30 02:18 -------- d-----w- c:\documents and settings\Vijay\Application Data\uTorrent
2010-08-29 05:08 . 2010-08-29 05:08 -------- d-----w- c:\windows\Sun
2010-08-28 17:45 . 2010-08-31 19:28 -------- d-----w- c:\windows\ServicePackFiles
2010-08-28 17:44 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-08-28 09:57 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-08-28 09:57 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-08-28 09:57 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-08-28 09:57 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-08-28 09:57 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-08-28 09:57 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-08-28 09:57 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-08-28 09:57 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-08-28 09:57 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-08-28 09:57 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-28 09:57 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-08-28 09:57 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-08-28 08:04 . 2010-08-28 08:04 -------- d-----w- c:\documents and settings\Vijay\nimbuzz
2010-08-28 08:03 . 2010-08-28 08:03 -------- d-----w- c:\program files\Nimbuzz
2010-08-28 07:55 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-28 07:40 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-08-27 22:31 . 2010-09-14 17:24 -------- d-----w- c:\documents and settings\Vijay\Local Settings\Application Data\Adobe
2010-08-27 22:28 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-27 22:28 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-08-27 22:23 . 2010-06-21 15:27 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-27 22:19 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-27 22:18 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-27 22:16 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-27 22:15 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-08-27 22:15 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-08-27 21:47 . 2010-08-27 21:47 -------- d-sh--w- c:\documents and settings\Vijay\UserData
2010-08-27 21:43 . 2007-05-24 04:43 2516 ----a-w- c:\windows\system32\drivers\default.bin
2010-08-27 21:43 . 2007-05-24 04:43 2516 ----a-w- c:\windows\system32\default.bin
2010-08-27 21:42 . 2010-08-27 21:42 -------- d-----w- c:\program files\CheckPoint
2010-08-27 07:07 . 2010-07-22 05:57 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-27 07:07 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-08-27 06:50 . 2007-09-04 16:56 164352 ----a-w- c:\windows\system32\unrar.dll
2010-08-27 06:50 . 2008-07-25 08:34 81920 ----a-w- c:\windows\system32\dpl100.dll
2010-08-27 06:50 . 2008-07-23 16:50 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2010-08-27 06:50 . 2008-01-10 12:16 159839 ----a-w- c:\windows\system32\xvidvfw.dll
2010-08-27 06:50 . 2008-01-10 12:15 755027 ----a-w- c:\windows\system32\xvidcore.dll
2010-08-27 06:50 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-08-27 06:50 . 2008-07-25 08:34 683520 ----a-w- c:\windows\system32\divx.dll
2010-08-27 06:50 . 2008-06-12 18:36 7680 ----a-w- c:\windows\system32\ff_vfw.dll
2010-08-27 06:50 . 2010-08-27 06:50 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-08-27 05:03 . 2010-08-27 05:03 503808 ----a-w- c:\documents and settings\Vijay\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3e2f1b7f-n\msvcp71.dll
2010-08-27 05:03 . 2010-08-27 05:03 499712 ----a-w- c:\documents and settings\Vijay\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3e2f1b7f-n\jmc.dll
2010-08-27 05:03 . 2010-08-27 05:03 348160 ----a-w- c:\documents and settings\Vijay\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3e2f1b7f-n\msvcr71.dll
2010-08-27 05:00 . 2010-08-27 05:00 61440 ----a-w- c:\documents and settings\Vijay\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2ba6391b-n\decora-sse.dll
2010-08-27 05:00 . 2010-08-27 05:00 12800 ----a-w- c:\documents and settings\Vijay\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2ba6391b-n\decora-d3d.dll
2010-08-27 04:59 . 2010-08-27 04:59 -------- d-----w- c:\program files\Common Files\Java
2010-08-27 04:58 . 2010-07-16 23:30 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 20:18 . 2010-09-15 06:54 -------- d--h--w- c:\windows\$hf_mig$
2010-08-26 20:04 . 2010-08-27 04:58 -------- d-----w- c:\program files\Java
2010-08-26 20:03 . 2010-08-26 20:03 152576 ----a-w- c:\documents and settings\Vijay\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2010-08-26 19:36 . 2010-09-24 19:26 -------- d-----w- C:\Downloads
2010-08-26 19:32 . 2010-08-26 19:32 -------- d-----w- c:\program files\CCleaner
2010-08-26 19:31 . 2010-08-26 19:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-26 19:31 . 2010-09-25 02:05 -------- d-----w- c:\documents and settings\Vijay\Application Data\Free Download Manager
2010-08-26 19:31 . 2010-08-26 19:31 -------- d-----w- c:\program files\Free Download Manager
2010-08-26 19:31 . 2010-08-26 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-10 02:27 . 2010-09-10 02:25 -------- d-----w- c:\documents and settings\Vijay\Application Data\Winamp
2010-09-10 02:26 . 2010-09-10 02:25 -------- d-----w- c:\program files\Winamp
2010-08-31 19:33 . 2010-08-25 17:15 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-08-26 07:11 . 2010-08-26 07:11 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-26 07:11 . 2010-08-26 07:11 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-26 03:56 . 2010-08-26 03:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-26 03:56 . 2010-08-26 03:56 -------- d-----w- c:\program files\Realtek
2010-08-26 03:56 . 2010-08-26 03:56 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-25 17:16 . 2010-08-25 17:16 -------- d-----w- c:\program files\microsoft frontpage
2010-08-25 17:11 . 2010-08-25 17:11 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-08-17 13:17 . 2004-08-03 19:26 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-08-03 19:26 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-06-30 12:31 . 2004-08-03 19:26 149504 ----a-w- c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-01 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-01 142872]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"NetWorx"="c:\program files\NetWorx\networx.exe" [2010-06-29 2944512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2007-05-24 04:43 24665 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [24/05/2007 10:13 AM 2234800]
R1 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [26/08/2010 12:42 PM 38976]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [24/05/2007 10:13 AM 36368]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [24/05/2007 10:13 AM 110032]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [24/05/2007 10:13 AM 673456]
R3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [26/08/2010 9:26 AM 103424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [22/09/2010 11:49 AM 102448]
S2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [26/08/2010 9:26 AM 135168]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [26/08/2010 9:26 AM 1684736]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [14/03/2007 7:48 PM 116416]
.
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4C79B948-5152-40F6-8156-E431958DB50A} = 218.248.255.193 218.248.240.181
FF - ProfilePath - c:\documents and settings\Vijay\Application Data\Mozilla\Firefox\Profiles\9a6tfvkb.default\
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-25 07:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-09-25 07:38:51
ComboFix-quarantined-files.txt 2010-09-25 02:08

Pre-Run: 42,689,843,200 bytes free
Post-Run: 42,710,368,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2DD3836974A984132F718BEE9B80AF41

#15 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 26 September 2010 - 05:48 AM

Hi,

Please do the following:

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

--Next--

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post back the log.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

--Next--

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
--Next--

How is your computer? Is your Yahoo account still sending spam?

Run another DDS scan for me please. Thank you.

To post in your next reply:
1. Malwarebytes' log.
2. Kaspersky log.
3. DDS logs.
4. How is your computer?

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·