1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Folders changed to .exe!!

Discussion in 'Virus & Other Malware Removal' started by asif281185, Dec 31, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:24:53 AM, on 01/01/2002
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Sadaf\My Documents\Downloads\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    F2 - REG:system.ini: Shell=explorer.exe "C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe"
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{119DA894-0D62-4699-BA25-229FADBB5D67}: NameServer = 115.167.74.254,115.167.75.254
    O17 - HKLM\System\CS1\Services\Tcpip\..\{119DA894-0D62-4699-BA25-229FADBB5D67}: NameServer = 115.167.74.254,115.167.75.254
    O17 - HKLM\System\CS2\Services\Tcpip\..\{119DA894-0D62-4699-BA25-229FADBB5D67}: NameServer = 115.167.74.254,115.167.75.254
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

    --
    End of file - 4043 bytes
     
  2. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Sadaf at 0:27:01.42 on 01/01/2002
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1636 [GMT 5:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Sadaf\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com.pk/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: H - No File
    mWinlogon: Shell=explorer.exe "c:\docume~1\sadaf\locals~1\temp\services.exe"
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: {119DA894-0D62-4699-BA25-229FADBB5D67} = 115.167.74.254,115.167.75.254
    Notify: LMIinit - LMIinit.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\sadaf\applic~1\mozilla\firefox\profiles\7ss4jv5e.default\
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\javasoft\jre\1.3.1_02\bin\NPJava11.dll
    FF - plugin: c:\program files\javasoft\jre\1.3.1_02\bin\NPJava12.dll
    FF - plugin: c:\program files\javasoft\jre\1.3.1_02\bin\NPJava131_02.dll
    FF - plugin: c:\program files\javasoft\jre\1.3.1_02\bin\NPJava32.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff

    ============= SERVICES / DRIVERS ===============

    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-9-27 47640]
    R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2010-4-12 36864]
    S0 khqlmxop;khqlmxop;c:\windows\system32\drivers\oopuhnpkpjv.sys [2010-9-17 69120]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]

    =============== Created Last 30 ================

    2010-12-30 11:44:05 161403 --s-a-w- C:\bachelors.exe
    2010-12-30 11:43:53 -------- d-sh--w- C:\bachelors
    2010-12-30 11:40:12 161403 --s-a-w- C:\mba.exe
    2010-12-30 11:40:03 -------- d-sh--w- C:\mba
    2010-12-22 19:31:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-22 19:31:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-22 19:31:45 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2010-12-09 07:47:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-12-07 09:23:31 -------- d-----w- c:\program files\FotoSketcher
    2010-12-02 10:00:20 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2010-12-02 10:00:19 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2010-12-02 10:00:19 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2010-12-02 10:00:19 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2010-11-22 10:36:16 69632 ------r- c:\windows\Alcmtr.exe
    2010-11-22 10:32:33 -------- d-----w- c:\windows\system32\ReinstallBackups
    2010-11-22 10:25:25 2808832 ------r- c:\windows\alcwzrd.exe
    2010-11-22 10:25:23 86016 ------r- c:\windows\SoundMan.exe
    2010-11-22 10:25:23 2165760 ------r- c:\windows\MicCal.exe
    2010-11-22 10:25:23 1826816 ------r- c:\windows\SkyTel.exe
    2010-11-22 10:25:23 16855552 ------r- c:\windows\RTHDCPL.exe
    2010-11-22 10:25:22 9715200 ------r- c:\windows\RTLCPL.exe
    2010-11-22 10:25:22 49152 ------r- c:\windows\system32\ChCfg.exe
    2010-11-22 10:25:22 4620288 ------r- c:\windows\system32\drivers\RtkHDAud.sys
    2010-11-22 10:25:22 299008 ------r- c:\windows\system32\ALSndMgr.cpl
    2010-11-22 10:25:22 282624 ------r- c:\windows\system32\RTSndMgr.cpl
    2010-11-22 10:25:22 1191936 ------r- c:\windows\RtlUpd.exe
    2010-11-22 10:25:22 -------- d-----w- c:\windows\system32\RTCOM
    2010-11-22 10:24:59 22752 ----a-w- c:\windows\system32\spupdsvc.exe
    2010-11-22 10:24:31 -------- d-----w- c:\program files\Realtek
    2010-11-22 10:24:28 315392 ----a-w- c:\windows\HideWin.exe
    2010-11-22 10:24:27 520192 ------r- c:\windows\RtlExUpd.dll
    2010-11-22 10:24:26 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll
    2010-11-22 10:24:26 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll
    2010-11-22 10:24:26 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe
    2010-11-22 10:24:26 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll
    2010-11-22 10:24:26 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll
    2010-11-22 10:24:25 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll
    2010-11-22 10:24:25 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll
    2010-11-12 09:37:21 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2010-11-12 09:37:21 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2010-09-27 06:09:07 -------- d-----w- c:\program files\Symantec
    2010-09-27 06:09:02 -------- d-----w- c:\program files\common files\Symantec Shared
    2010-09-27 06:06:29 -------- d-----w- c:\program files\MapInfo MapX
    2010-09-27 06:06:16 -------- d-----w- c:\windows\Crystal
    2010-09-27 06:06:09 -------- d-----w- c:\program files\Seagate Software
    2010-09-27 05:52:59 -------- d-----w- c:\docume~1\sadaf\locals~1\applic~1\LogMeIn
    2010-09-27 05:52:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn
    2010-09-27 05:52:57 47416 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2010-09-27 05:52:57 28984 ----a-w- c:\windows\system32\LMIport.dll
    2010-09-27 05:52:56 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2010-09-27 05:52:56 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
    2010-09-27 05:52:51 87352 ----a-w- c:\windows\system32\LMIinit.dll
    2010-09-27 05:52:41 -------- d-----w- c:\program files\LogMeIn
    2010-09-17 08:58:31 69120 ----a-w- c:\windows\system32\drivers\oopuhnpkpjv.sys
    2010-09-17 08:58:31 172064 ----a-w- c:\windows\system32\drivers\str.sys
    2010-08-13 02:03:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2010-08-13 02:03:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2010-07-10 07:42:01 229888 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\HP1006S.DLL
    2010-07-06 07:52:07 221184 ----a-w- c:\windows\system32\wmpns.dll
    2010-05-18 12:36:46 -------- d-----w- c:\program files\MSECache
    2010-05-13 07:54:39 -------- d-----w- c:\documents and settings\sadaf\.java
    2010-05-13 07:52:59 45148 ----a-w- c:\windows\system32\plugincpl131_02.cpl
    2010-05-13 07:52:58 -------- d-----w- c:\program files\JavaSoft
    2010-05-13 07:52:46 304128 ----a-w- c:\windows\IsUninst.exe
    2010-05-13 07:52:43 -------- d-----w- c:\documents and settings\sadaf\WINDOWS
    2010-05-07 11:05:05 -------- d-----w- c:\docume~1\sadaf\locals~1\applic~1\Mozilla
    2010-05-01 11:52:37 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2010-04-15 07:23:40 -------- d-----w- c:\docume~1\sadaf\locals~1\applic~1\Adobe

    ==================== Find3M ====================

    2008-08-11 07:40:34 25248 ----a-w- c:\windows\system32\lmimirr.dll
    2008-08-11 07:40:34 11552 ----a-w- c:\windows\system32\lmimirr2.dll
    2007-10-31 04:35:58 4702208 ----a-r- c:\windows\RtHDVCpl.exe
    2007-10-29 07:29:26 27136 ----a-r- c:\windows\system32\RtkCoInst.dll
    2007-10-24 11:50:14 2101248 ----a-r- c:\windows\system32\RtkAPO.dll
    2007-10-17 07:27:00 582656 ----a-r- c:\windows\system32\RtkPgExt.dll
    2007-07-30 10:26:02 126976 ----a-r- c:\windows\system32\maxxaudioapo.dll
    2007-07-25 01:33:42 135168 ----a-r- c:\windows\system32\SRSWOW.dll
    2007-05-17 03:26:20 185776 ----a-r- c:\windows\system32\SRSTSHD.dll
    2007-04-16 09:09:06 167936 ----a-r- c:\windows\system32\SRSHP360.dll
    2007-03-23 07:34:40 266240 ----a-r- c:\windows\system32\RtkApoApi.dll
    2006-12-13 02:30:06 339968 ----a-r- c:\windows\system32\SRSTSXT.dll
    2006-10-26 09:10:08 1190688 ----a-w- c:\windows\system32\FM20.DLL
    2006-10-26 09:10:06 33088 ----a-w- c:\windows\system32\FM20ENU.DLL
    2006-10-26 08:45:04 293376 ----a-w- c:\windows\system32\WISPTIS.EXE
    2006-10-26 08:45:04 207360 ----a-w- c:\windows\system32\INKED.DLL
    2006-07-24 05:50:40 47920 ----a-w- c:\windows\system32\VBAME.DLL
    2006-07-24 05:50:40 39728 ----a-w- c:\windows\system32\SCP32.DLL
    2006-07-24 05:50:38 125744 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2006-06-26 17:51:29 985088 ----a-w- c:\windows\system32\setupapi.dll
    2005-05-04 09:45:36 884736 ----a-w- c:\windows\system32\msimsg.dll
    2005-05-04 09:45:36 78848 ----a-w- c:\windows\system32\msiexec.exe
    2005-05-04 09:45:36 271360 ----a-w- c:\windows\system32\msihnd.dll
    2005-05-04 09:45:36 15360 ----a-w- c:\windows\system32\msisip.dll
    2005-05-04 09:45:32 2890240 ----a-w- c:\windows\system32\msi.dll
    2005-01-07 12:07:16 61952 ------w- c:\windows\system32\HdAShCut.exe
    2005-01-07 12:07:16 25088 ------w- c:\windows\system32\HdAProp.dll
    2005-01-07 12:07:04 5120 ------w- c:\windows\system32\HdAudRes.dll
    2004-08-04 02:03:44 1042903 ----a-r- c:\windows\SET3.tmp
    2004-08-04 01:58:46 13753 ----a-r- c:\windows\SET8.tmp
    2004-08-04 01:57:10 1086058 ----a-r- c:\windows\SET4.tmp
    2004-08-04 01:07:22 1788 ----a-w- c:\windows\system32\Dcache.bin
    2004-08-04 01:05:44 52224 ----a-w- c:\windows\system32\dmutil.dll
    2004-08-04 01:05:44 51712 ----a-w- c:\windows\system32\wzcsapi.dll
    2004-08-04 01:05:44 47616 ----a-w- c:\windows\system32\iyuv_32.dll
    2004-08-04 01:05:44 47104 ----a-w- c:\windows\system32\cnbjmon.dll
    2004-08-04 01:05:44 359936 ----a-w- c:\windows\system32\wzcsvc.dll
    2004-08-04 01:05:44 35328 ----a-w- c:\windows\system32\pid.dll
    2004-08-04 01:05:44 294912 ----a-w- c:\windows\system32\msh263.drv
    2004-08-04 01:05:44 20992 ----a-w- c:\windows\system32\hid.dll
    2004-08-04 01:05:44 2015232 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2004-08-04 01:05:44 17408 ----a-w- c:\windows\system32\msyuv.dll
    2004-08-04 01:05:44 15360 ----a-w- c:\windows\system32\pjlmon.dll
    2004-08-04 01:02:46 329728 ----a-w- c:\windows\system32\netsetup.exe
    2004-08-04 01:01:10 87176 ----a-w- c:\windows\system32\rdpwsx.dll
    2004-08-04 01:01:08 92168 ----a-w- c:\windows\system32\rdpdd.dll
    2004-08-04 01:01:08 12168 ----a-w- c:\windows\system32\tsddd.dll
    2004-08-04 00:57:06 299520 ----a-w- c:\windows\system32\drmclien.dll
    2004-08-04 00:57:04 695296 ----a-w- c:\windows\system32\drmv2clt.dll
    2004-08-04 00:57:02 356352 ----a-w- c:\windows\system32\msscp.dll
    2004-08-04 00:57:02 259072 ----a-w- c:\windows\system32\msnetobj.dll
    2004-08-03 23:18:32 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
    2004-08-03 23:17:42 1835904 ----a-w- c:\windows\system32\win32k.sys
    2004-08-03 23:07:34 17664 ----a-w- c:\windows\system32\watchdog.sys
    2004-08-03 23:04:52 20480 ----a-w- c:\windows\system32\wmp.ocx
    2004-08-03 23:01:56 114688 ----a-w- c:\windows\system32\asctrls.ocx
    2004-08-03 23:01:26 98304 ----a-w- c:\windows\system32\wshom.ocx
    2004-08-03 23:01:18 102400 ----a-w- c:\windows\system32\msscript.ocx
    2004-08-03 23:01:16 153088 ----a-w- c:\windows\system32\daxctle.ocx
    2004-08-03 23:00:26 81920 ----a-w- c:\windows\system32\proctexe.ocx
    2004-08-03 23:00:04 218624 ----a-w- c:\windows\system32\sysmon.ocx
    2004-08-03 22:59:58 423936 ----a-w- c:\windows\system32\html.iec
    2004-08-03 22:59:44 655360 ----a-w- c:\windows\system32\mstscax.dll
    2004-08-03 22:59:42 407552 ----a-w- c:\windows\system32\mstsc.exe
    2004-08-03 22:59:36 12800 ----a-w- c:\windows\system32\spiisupd.exe
    2004-08-03 22:59:30 61440 ----a-w- c:\windows\system32\tdc.ocx
    2004-08-03 22:59:28 44544 ----a-w- c:\windows\system32\tscupgrd.exe
    2004-08-03 22:59:24 7424 ----a-w- c:\windows\system32\kd1394.dll
    2004-08-03 22:58:26 61440 ----a-w- c:\windows\system32\msvcrt40.dll
    2004-08-03 22:51:22 53840 ----a-w- c:\windows\system32\dosx.exe
    2004-08-03 22:51:20 5120 ----a-w- c:\windows\system32\winnls.dll
    2004-08-03 22:51:12 68768 ----a-w- c:\windows\system32\mmsystem.dll
    2004-08-03 22:51:12 68768 ----a-w- c:\windows\system\MMSYSTEM.DLL
    2004-08-03 22:51:04 844314 ----a-w- c:\windows\system32\msdxm.ocx
    2004-08-03 22:49:34 92224 ----a-w- c:\windows\system32\krnl386.exe
    2004-08-03 22:48:46 3338 ----a-w- c:\windows\system32\redir.exe
    2004-08-03 22:46:56 42537 ----a-w- c:\windows\system32\keyboard.sys
    2004-08-03 22:45:16 35424 ----a-w- c:\windows\system32\ntio412.sys
    2004-08-03 22:45:16 34560 ----a-w- c:\windows\system32\ntio404.sys
    2004-08-03 22:45:14 34560 ----a-w- c:\windows\system32\ntio804.sys
    2004-08-03 22:45:12 35648 ----a-w- c:\windows\system32\ntio411.sys
    2004-08-03 22:45:10 33840 ----a-w- c:\windows\system32\ntio.sys
    2004-08-03 22:31:44 306176 ----a-w- c:\windows\system32\slbcsp.dll
    2004-08-03 22:31:44 169984 ----a-w- c:\windows\system32\sccbase.dll
    2004-08-03 22:31:44 152576 ----a-w- c:\windows\system32\rsaenh.dll
    2004-08-03 22:31:44 137216 ----a-w- c:\windows\system32\dssenh.dll
    2004-08-03 22:31:44 101888 ----a-w- c:\windows\system32\gpkcsp.dll
    2004-08-03 22:23:00 526848 ----a-w- c:\windows\system32\hhctrl.ocx
    2004-08-03 22:21:52 24576 ----a-w- c:\windows\system32\cliconfg.rll
    2004-08-03 22:21:48 90112 ----a-w- c:\windows\system32\sqlsrv32.rll
    2004-08-03 22:20:16 16384 ----a-w- c:\windows\system32\simpdata.tlb
    2004-08-03 22:20:06 12288 ----a-w- c:\windows\system32\msdatsrc.tlb
    2004-08-03 22:19:56 1351168 ----a-w- c:\windows\system32\mshtml.tlb
    2004-08-03 19:56:58 23552 ----a-w- c:\windows\system32\wdmaud.drv
    2004-08-03 19:56:58 130048 ----a-w- c:\windows\system32\ksproxy.ax
    2004-08-03 19:56:44 4096 ----a-w- c:\windows\system32\ksuser.dll
    2004-07-17 11:42:38 487 ----a-w- c:\windows\system32\login.cmd
    2004-07-17 11:39:16 174200 ----a-w- c:\windows\system32\xenroll.dll
    2004-07-17 11:36:44 4656 ----a-w- c:\windows\system32\ds16gt.dLL
    2004-07-17 11:36:44 26224 ----a-w- c:\windows\system32\odbc16gt.dll

    ============= FINISH: 0:28:06.07 ===============
     
  3. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    file:///C:/Documents%20and%20Settings/Sadaf/Desktop/Attach.txt

    At a loss how to attach a file to this forum. Kindly let me know I need to paste the contents of the log file.
     
  4. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2002-01-01 00:45:25
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-10 ST3250318AS rev.CC44
    Running: rv1fzwjf.exe; Driver: C:\DOCUME~1\Sadaf\LOCALS~1\Temp\pxtdrpow.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\DOCUME~1\Sadaf\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\winlogon.exe[688] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\WINDOWS\system32\winlogon.exe[688] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\WINDOWS\system32\winlogon.exe[688] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\WINDOWS\system32\winlogon.exe[688] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\WINDOWS\system32\winlogon.exe[688] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\WINDOWS\system32\winlogon.exe[688] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\WINDOWS\system32\winlogon.exe[688] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\WINDOWS\system32\winlogon.exe[688] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\WINDOWS\system32\services.exe[736] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\WINDOWS\system32\services.exe[736] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\WINDOWS\system32\services.exe[736] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\WINDOWS\system32\services.exe[736] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\WINDOWS\system32\services.exe[736] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\WINDOWS\system32\services.exe[736] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\WINDOWS\system32\svchost.exe[920] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\WINDOWS\system32\svchost.exe[920] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\WINDOWS\system32\svchost.exe[920] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\WINDOWS\system32\svchost.exe[920] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\WINDOWS\system32\svchost.exe[920] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\WINDOWS\System32\svchost.exe[1096] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\WINDOWS\System32\svchost.exe[1096] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\WINDOWS\System32\svchost.exe[1096] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\WINDOWS\System32\svchost.exe[1096] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\WINDOWS\System32\svchost.exe[1096] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1240] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1240] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1240] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1240] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1240] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1240] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1240] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1240] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\Program Files\LogMeIn\x86\RaMaint.exe[1328] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\Program Files\LogMeIn\x86\RaMaint.exe[1328] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\Program Files\LogMeIn\x86\RaMaint.exe[1328] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\Program Files\LogMeIn\x86\RaMaint.exe[1328] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\Program Files\LogMeIn\x86\RaMaint.exe[1328] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\Program Files\LogMeIn\x86\RaMaint.exe[1328] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\Program Files\LogMeIn\x86\RaMaint.exe[1328] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\Program Files\LogMeIn\x86\RaMaint.exe[1328] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\WINDOWS\system32\wscntfy.exe[1404] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\WINDOWS\system32\wscntfy.exe[1404] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\WINDOWS\system32\wscntfy.exe[1404] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\WINDOWS\system32\wscntfy.exe[1404] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\WINDOWS\system32\wscntfy.exe[1404] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\WINDOWS\system32\wscntfy.exe[1404] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\WINDOWS\system32\wscntfy.exe[1404] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\WINDOWS\system32\wscntfy.exe[1404] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\WINDOWS\system32\spoolsv.exe[1456] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\WINDOWS\system32\spoolsv.exe[1456] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\WINDOWS\system32\spoolsv.exe[1456] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\WINDOWS\system32\spoolsv.exe[1456] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\WINDOWS\system32\spoolsv.exe[1456] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\WINDOWS\system32\spoolsv.exe[1456] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\WINDOWS\system32\spoolsv.exe[1456] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\WINDOWS\system32\spoolsv.exe[1456] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1604] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 104F3DF8
    .text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1604] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 104F3C40
    .text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1604] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 104F3E7C
    .text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1604] WS2_32.dll!connect 71AB406A 5 Bytes JMP 104F3AF4
    .text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1604] WS2_32.dll!send 71AB428A 5 Bytes JMP 104F3268
    .text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1604] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 104F27F4
    .text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1604] WS2_32.dll!recv 71AB615A 5 Bytes JMP 104F2788
    .text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1604] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 104F3AA0
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1684] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 100E3DF8
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1684] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 100E3C40
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1684] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 100E3E7C
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1684] ws2_32.dll!connect 71AB406A 5 Bytes JMP 100E3AF4
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1684] ws2_32.dll!send 71AB428A 5 Bytes JMP 100E3268
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1684] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100E27F4
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1684] ws2_32.dll!recv 71AB615A 5 Bytes JMP 100E2788
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1684] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 100E3AA0
    .text C:\WINDOWS\explorer.exe[1700] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\WINDOWS\explorer.exe[1700] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\WINDOWS\explorer.exe[1700] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\WINDOWS\explorer.exe[1700] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\WINDOWS\explorer.exe[1700] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\WINDOWS\explorer.exe[1700] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\WINDOWS\explorer.exe[1700] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\WINDOWS\explorer.exe[1700] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1776] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1776] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1776] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1776] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1776] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1776] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1776] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1776] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1784] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 100E3DF8
    .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1784] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 100E3C40
    .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1784] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 100E3E7C
    .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1784] WS2_32.dll!connect 71AB406A 5 Bytes JMP 100E3AF4
    .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1784] WS2_32.dll!send 71AB428A 5 Bytes JMP 100E3268
    .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1784] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100E27F4
    .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1784] WS2_32.dll!recv 71AB615A 5 Bytes JMP 100E2788
    .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1784] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 100E3AA0
    .text C:\Program Files\Google\Google Talk\googletalk.exe[1792] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\Program Files\Google\Google Talk\googletalk.exe[1792] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\Program Files\Google\Google Talk\googletalk.exe[1792] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\Program Files\Google\Google Talk\googletalk.exe[1792] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\Program Files\Google\Google Talk\googletalk.exe[1792] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\Program Files\Google\Google Talk\googletalk.exe[1792] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\Program Files\Google\Google Talk\googletalk.exe[1792] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\Program Files\Google\Google Talk\googletalk.exe[1792] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    CODE C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe[1804] C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe entry point in "CODE" section [0x004050F4]
    .ifc C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe[1804] C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe unknown last code section [0x00410000, 0x2307B, 0xE0000060]
    .text C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe[1804] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe[1804] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe[1804] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe[1804] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe[1804] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe[1804] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe[1804] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe[1804] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\Program Files\Messenger\msmsgs.exe[1820] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\Program Files\Messenger\msmsgs.exe[1820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\Program Files\Messenger\msmsgs.exe[1820] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\Program Files\Messenger\msmsgs.exe[1820] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\Program Files\Messenger\msmsgs.exe[1820] WS2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\Program Files\Messenger\msmsgs.exe[1820] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\Program Files\Messenger\msmsgs.exe[1820] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\Program Files\Messenger\msmsgs.exe[1820] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\WINDOWS\system32\ctfmon.exe[1836] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\WINDOWS\system32\ctfmon.exe[1836] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\WINDOWS\system32\ctfmon.exe[1836] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\WINDOWS\system32\ctfmon.exe[1836] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\WINDOWS\system32\ctfmon.exe[1836] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\WINDOWS\system32\ctfmon.exe[1836] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\WINDOWS\system32\ctfmon.exe[1836] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\WINDOWS\system32\ctfmon.exe[1836] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\WINDOWS\system32\svchost.exe[1948] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8
    .text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40
    .text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10003E7C
    .text C:\WINDOWS\system32\svchost.exe[1948] ws2_32.dll!connect 71AB406A 5 Bytes JMP 10003AF4
    .text C:\WINDOWS\system32\svchost.exe[1948] ws2_32.dll!send 71AB428A 5 Bytes JMP 10003268
    .text C:\WINDOWS\system32\svchost.exe[1948] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100027F4
    .text C:\WINDOWS\system32\svchost.exe[1948] ws2_32.dll!recv 71AB615A 5 Bytes JMP 10002788
    .text C:\WINDOWS\system32\svchost.exe[1948] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 10003AA0
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1980] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 100E3DF8
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1980] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 100E3C40
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1980] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 100E3E7C
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1980] ws2_32.dll!connect 71AB406A 5 Bytes JMP 100E3AF4
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1980] ws2_32.dll!send 71AB428A 5 Bytes JMP 100E3268
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1980] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100E27F4
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1980] ws2_32.dll!recv 71AB615A 5 Bytes JMP 100E2788
    .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1980] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 100E3AA0
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10A83DF8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10A83C40
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] kernel32.dll!ExitProcess 7C81CAA2 5 Bytes JMP 10A83E7C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10A83AF4
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] WS2_32.dll!send 71AB428A 5 Bytes JMP 10A83268
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 10A827F4
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] WS2_32.dll!recv 71AB615A 5 Bytes JMP 10A82788
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 10A83AA0

    ---- EOF - GMER 1.0.15 ----
     
  5. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    Happy new year bump
     
  6. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Hiya

    Happy New Year :)

    Download TFC by OldTimer to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.



    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply.
    • Click Close to exit the program.

    Please include the MBAM log and, SUPERAntiSpyware Scan Log and a fresh HijackThis log in your next reply

    eddie
     
  7. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Got a message saying its formatted, is that correct?

    No problems if it is, its just the reply is deleted in this thread :)

    eddie
     
  8. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5446

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    03/01/2011 11:21:15 AM
    mbam-log-2011-01-03 (11-21-10).txt

    Scan type: Full scan (C:\|D:\|E:\|F:\|)
    Objects scanned: 177260
    Time elapsed: 9 minute(s), 52 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe "C:\DOCUME~1\Sadaf\LOCALS~1\Temp\services.exe") Good: (Explorer.exe) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\system volume information\_restore{d975e00e-b03c-47ee-bf82-c4217d3d059a}\RP167\A0019142.exe (Spyware.PWS) -> No action taken.
    c:\system volume information\_restore{d975e00e-b03c-47ee-bf82-c4217d3d059a}\RP168\A0019253.exe (Spyware.PWS) -> No action taken.
    c:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.
     
  9. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    I will post the rest of the supplies in the morning. Dont have them available at hand at the moment.

    Yes i did post that, but that was a mix-up and hence the deleted post. :)

    Thanks for your help. Much appreciated.

    Asif
     
  10. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    That's okay, just confused me for a bit :p

    Also, it looks like you haven't removed the files when you ran MBAM. Can you re-run it again, but make sure that everything is checked, and click Remove Selected. Then post the log again :)

    eddie
     
  11. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5446

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    04/01/2011 6:08:36 PM
    mbam-log-2011-01-04 (18-08-36).txt

    Scan type: Quick scan
    Objects scanned: 155923
    Time elapsed: 2 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  12. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/04/2011 at 06:28 PM

    Application Version : 4.47.1000

    Core Rules Database Version : 6115
    Trace Rules Database Version: 3927

    Scan type : Complete Scan
    Total Scan Time : 00:17:21

    Memory items scanned : 420
    Memory threats detected : 0
    Registry items scanned : 4728
    Registry threats detected : 0
    File items scanned : 23804
    File threats detected : 0
     
  13. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:32:22 PM, on 04/01/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Sophos\AutoUpdate\almon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Sadaf\My Documents\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{119DA894-0D62-4699-BA25-229FADBB5D67}: NameServer = 115.167.74.254,115.167.75.254
    O17 - HKLM\System\CS1\Services\Tcpip\..\{119DA894-0D62-4699-BA25-229FADBB5D67}: NameServer = 115.167.74.254,115.167.75.254
    O17 - HKLM\System\CS2\Services\Tcpip\..\{119DA894-0D62-4699-BA25-229FADBB5D67}: NameServer = 115.167.74.254,115.167.75.254
    O20 - AppInit_DLLs: winmm.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
    O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
    O23 - Service: Sophos Web Intelligence Service (swi_service) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe

    --
    End of file - 4960 bytes
     
  14. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! As you download it rename it to username123.exe and save it to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Remember to re-enable the protection again afterwards before connecting to the Internet.
    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    eddie
     
  15. asif281185

    asif281185 Thread Starter

    Joined:
    Dec 6, 2010
    Messages:
    14
    ComboFix 11-01-04.04 - Sadaf 05/01/2011 10:08:12.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1463 [GMT 5:00]
    Running from: c:\documents and settings\Sadaf\Desktop\username123.exe
    AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\drivers\oopuhnpkpjv.sys

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_khqlmxop


    ((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
    .

    2011-01-04 11:22 . 2011-01-04 11:22 -------- d-----w- c:\documents and settings\Sadaf\Application Data\Crossword Compiler 8
    2011-01-04 11:22 . 2011-01-04 11:22 -------- d-----w- c:\program files\Crossword Compiler
    2011-01-04 09:16 . 2011-01-04 09:16 -------- d-----w- c:\windows\Sun
    2011-01-03 06:42 . 2011-01-03 06:42 -------- d-----w- c:\documents and settings\Sadaf\Application Data\SUPERAntiSpyware.com
    2011-01-03 06:42 . 2011-01-03 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-01-03 06:42 . 2011-01-03 06:42 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-01-03 05:29 . 2004-08-03 18:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-01-03 05:29 . 2004-08-03 18:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2011-01-03 05:19 . 2011-01-03 05:19 -------- d-----w- c:\documents and settings\Sadaf\Application Data\Malwarebytes
    2011-01-03 05:19 . 2011-01-03 05:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-03 05:19 . 2010-12-20 13:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-03 05:19 . 2011-01-03 05:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-03 05:19 . 2010-12-20 13:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-01 07:03 . 2011-01-01 07:03 -------- d-----w- c:\documents and settings\Sadaf\Local Settings\Application Data\Sophos
    2011-01-01 07:00 . 2010-06-04 10:23 131824 ----a-w- c:\windows\system32\sdccoinstaller.dll
    2011-01-01 07:00 . 2011-01-03 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos Web Intelligence
    2011-01-01 07:00 . 2011-01-01 07:00 -------- d-----w- c:\program files\Common Files\Cisco Systems
    2011-01-01 06:59 . 2010-07-23 17:31 28912 ----a-w- c:\windows\system32\SophosBootTasks.exe
    2011-01-01 06:59 . 2011-01-01 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
    2011-01-01 06:59 . 2011-01-01 06:59 -------- d-----w- c:\program files\MSXML 4.0
    2011-01-01 06:59 . 2010-10-08 14:14 153344 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
    2011-01-01 06:59 . 2010-10-08 14:14 24064 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
    2011-01-01 06:59 . 2011-01-01 06:59 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
    2011-01-01 06:59 . 2011-01-01 06:59 23928 ----a-w- c:\windows\system32\drivers\sdcfilter.sys
    2011-01-01 06:58 . 2011-01-01 06:59 -------- d-----w- c:\program files\Sophos
    2010-12-30 11:43 . 2010-12-03 19:18 -------- d-----w- C:\bachelors
    2010-12-30 11:40 . 2010-12-03 19:21 -------- d-----w- C:\mba
    2010-12-30 11:28 . 2001-12-31 19:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-12-22 19:31 . 2010-12-22 19:31 -------- d-----w- c:\program files\Common Files\Java
    2010-12-22 19:31 . 2010-12-22 19:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-22 19:31 . 2010-12-22 19:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-22 19:31 . 2010-12-22 19:31 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-22 19:31 . 2010-12-22 19:31 -------- d-----w- c:\program files\Java
    2010-12-09 07:47 . 2010-12-09 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-12-07 09:23 . 2010-12-07 09:23 -------- d-----w- c:\program files\FotoSketcher

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-22 10:24 . 2010-11-22 10:24 315392 ----a-w- c:\windows\HideWin.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-21 439536]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2009-09-28 14:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 11:41 PM 67656]
    R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [01/01/2011 11:59 AM 153344]
    R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [01/01/2011 11:59 AM 24064]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/08/2008 12:41 PM 12856]
    R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [08/10/2010 7:15 PM 163056]
    R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [01/01/2011 11:59 AM 97520]
    R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [08/10/2010 7:15 PM 1541360]
    R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [12/04/2010 11:54 AM 36864]
    S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [01/01/2011 11:59 AM 23928]
    S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [01/01/2011 11:59 AM 14976]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.pk/
    uInternet Settings,ProxyOverride = local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: {119DA894-0D62-4699-BA25-229FADBB5D67} = 115.167.74.254,115.167.75.254
    FF - ProfilePath - c:\documents and settings\Sadaf\Application Data\Mozilla\Firefox\Profiles\7ss4jv5e.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-05 10:11
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(708)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll

    - - - - - - - > 'explorer.exe'(3612)
    c:\windows\system32\msi.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    c:\program files\SUPERAntiSpyware\SASSEH.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\LogMeIn\x86\RaMaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\program files\Sophos\AutoUpdate\ALsvc.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Mozilla Firefox\firefox.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-05 10:13:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-05 05:12

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 6B401EB69EF9FA5A940F29669886324F
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/971747

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice