virus/trojan/malware infections

hey..

as suggested by cdavfrew am starting this new thread.. my comp is kinda acting funny.. theres no sound on sites like youtube, or any of the online movie sites yet when i play somethin on wmp the sound is there alright.. also yday the memory resources were totally used up and the system had to increase the virtual memory space even though i was not using many applications.. a trojan was later discovered by mcafee and some adware too by lavasoft ad-aware.. i need advice on how to read hijackthis log report.. thanks..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:10 AM, on 9/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ffpsrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared...,26/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - C:\WINDOWS\system32\ffpsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

--
End of file - 3992 bytes

 

Hi yuvi

Thanks for listening to me. Please post in your next post a detailed report of the problems you have.

Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

Best Regards

 

Hi Cdavfrew..

Thanks for your prompt response..

At the risk of bein branded a complete novice, i'd like to admit that i cudnt run the combo fix program successfully

As directed i downloaded it after changin the file name to 'combo-fix' and disabled all firewall/AV/anti-spyware programs, however as soon as i would try n run combofix the system would restart on its own before d scan would get completed.. This happened 5-6 times before i gave up.. Kindly suggest course of action..

Thanks & Regards

 

Hey yuvi

Don't worry. You won't be branded a complete novice.

Hmm.... interesting problem you have there. Please go to Start, Run, and type in Combofix.exe /u. Restart your computer, redownload Combofix using the same instructions, and then boot into safe mode before running Combofix.

To boot into safe mode, repeatedly press the F8 button after you press the power button.

Best Regards

 

Hey Cdavfrew..

Did not need to go to safe mode.. By going to Run and using the command suggested, Combo fix did complete the scan log file of which which is copied below.. The wierd thing is i dint even disable the AV/Antispyware/Firewall this time.. beats me..


ComboFix 08-09-15.02 - Yuvraj 2008-09-17 17:52:13.4 - NTFSx86
Running from: D:\Software\Combo-Fix.exe
Command switches used :: / u
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-13 20:25 --------- d-----w C:\Program Files\Lavasoft
2008-09-13 20:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-13 19:42 --------- d-----w C:\Program Files\Trend Micro
2008-09-13 19:25 --------- d-----w C:\Program Files\Your Uninstaller 2008
2008-09-13 19:20 --------- d-----w C:\Program Files\Google
2008-09-13 18:54 --------- d-----w C:\Program Files\Morpheus
2008-08-16 17:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-07 08:01 --------- d-----w C:\Program Files\LimeWire
2008-07-19 14:23 --------- d-----w C:\Program Files\01-mp3search
2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-17 18:10 --------- d-s-a-r C:\Program Files\FlashGuard
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 12:42 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-11-08 20:10 56 -csh--r C:\WINDOWS\system32\D85ADCE15B.sys
2007-11-08 20:10 1,682 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-11 163840]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-12 212992]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCDNT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FileAndFolderProtector_S]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Yuvraj^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\Yuvraj\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-11-24 15:38 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 21:19 133104 C:\Documents and Settings\Yuvraj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2006-01-14 06:06 196608 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
C:\Program Files\Internet Download Manager\IDMan.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2005-05-31 01:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r---c--- 2005-05-04 08:13 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r---c--- 2005-10-15 07:21 14864384 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"O&O Defrag"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Games\\Halo\\halo.exe"=
"D:\\Games\\Age of Empires II Full\\[ PC Games ] - Age of Empires II(FULL)(2)\\empires2.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Games\\Age of Empires III\\Empire Earth.exe"=
"D:\\Games\\NFS UNDERGROUND\\Speed.exe"=
"D:\\Software\\Limewire\\LimeWire.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1BC43981-948B-BF77-25C9-ABE6D4C784B3}]
C:\WINDOWS\system32:svchost.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Yuvraj\Application Data\Mozilla\Firefox\Profiles\lslqvvvq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF -: plugin - C:\Documents and Settings\Yuvraj\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 17:53:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-17 17:54:31
ComboFix-quarantined-files.txt 2008-09-17 12:24:28

Pre-Run: 7,462,121,472 bytes free
Post-Run: 7,452,893,184 bytes free

139 --- E O F --- 2008-09-10 13:15:06

 

Hey yuvi

Wait... that command was for uninstalling ComboFix. Still, please delete it, and then redownload it and rerun it. See how it goes this time.

Best Regards

 

Did you type in Combofix /u exactly as it is? There is a space between Combofix and /u, but no space between / and u. Try this command again before proceeding to do the commands above.

 

oopsie.. have uninstalled ComboFix successfully now.. will redownload and re-run now.. Btw jus found out that there's a file named Qoologic on my C drive which i've never installed.. Googlin tells me its a trojan..

 

All in good time.

So rerun Combofix (careless you ) and post the log here.

Best Regards

 

well here you go.. pls enlighten me now.. hope everythings in order..

ComboFix 08-09-16.05 - Yuvraj 2008-09-17 19:34:56.5 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Yuvraj\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))
.

2008-09-17 18:45 . 2008-09-17 18:45 <DIR> d-------- C:\Combo-Fix
2008-09-14 01:55 . 2008-09-14 01:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-14 01:55 . 2008-09-14 01:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-14 01:55 . 2008-09-14 02:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-14 01:12 . 2008-09-14 01:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-14 00:42 . 2008-09-14 00:55 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-09-14 00:42 . 2008-09-14 00:42 <DIR> d-------- C:\Documents and Settings\Yuvraj\Application Data\URSoft
2008-09-14 00:42 . 2008-09-14 00:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-07 14:09 . 2008-09-07 14:09 <DIR> d-------- C:\Documents and Settings\Yuvraj\Application Data\Meda MP3 Joiner 1.2
2008-09-07 12:59 . 2008-09-07 12:59 99 --a------ C:\WINDOWS\cdplayer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-13 19:20 --------- d-----w C:\Program Files\Google
2008-09-13 18:54 --------- d-----w C:\Program Files\Morpheus
2008-09-12 18:49 --------- d-----w C:\Documents and Settings\Yuvraj\Application Data\LimeWire
2008-08-16 17:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-07 08:01 --------- d-----w C:\Program Files\LimeWire
2008-08-01 19:05 --------- d-----w C:\Documents and Settings\Yuvraj\Application Data\Metacafe
2008-08-01 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Metacafe
2008-07-19 14:23 --------- d-----w C:\Program Files\01-mp3search
2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-17 18:10 --------- d-s-a-r C:\Program Files\FlashGuard
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 12:42 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-11-08 20:10 56 -csh--r C:\WINDOWS\system32\D85ADCE15B.sys
2007-11-08 20:10 1,682 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-11 163840]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-12 212992]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCDNT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FileAndFolderProtector_S]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Yuvraj^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\Yuvraj\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-11-24 15:38 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 21:19 133104 C:\Documents and Settings\Yuvraj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2006-01-14 06:06 196608 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2005-05-31 01:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r---c--- 2005-05-04 08:13 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r---c--- 2005-10-15 07:21 14864384 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"O&O Defrag"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Games\\Halo\\halo.exe"=
"D:\\Games\\Age of Empires II Full\\[ PC Games ] - Age of Empires II(FULL)(2)\\empires2.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Games\\Age of Empires III\\Empire Earth.exe"=
"D:\\Games\\NFS UNDERGROUND\\Speed.exe"=
"D:\\Software\\Limewire\\LimeWire.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1BC43981-948B-BF77-25C9-ABE6D4C784B3}]
C:\WINDOWS\system32:svchost.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
MSConfigStartUp-IDMan - C:\Program Files\Internet Download Manager\IDMan.exe
MSConfigStartUp-Veoh - C:\Program Files\Veoh Networks\Veoh\VeohClient.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Yuvraj\Application Data\Mozilla\Firefox\Profiles\lslqvvvq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF -: plugin - C:\Documents and Settings\Yuvraj\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 19:37:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\Yuvraj\Application Data\Mozilla\Firefox\Profiles\lslqvvvq.default\places.sqlite-journal

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-09-17 19:40:32
ComboFix-quarantined-files.txt 2008-09-17 14:09:55
ComboFix2.txt 2008-09-17 12:24:32

Pre-Run: 8,912,457,728 bytes free
Post-Run: 8,907,636,736 bytes free

149 --- E O F --- 2008-09-10 13:15:06

 

Hey yuvi.

Glad to see that you can run Combofix this time.

First, please go to C:\WINDOWS\system32\ and find a file called D85ADCE15B.sys. Upload this file to www.virustotal.com, and then post the results here.

After that, let's do a scan.

Please download Superantispyware Free and install it. Follow the prompts and reboot if required.

Launch Superantispyware Free either by running C:\Program Files\SUPERANTISPYWARE.exe or right-click on the SuperAntispyware icon in your task bar (it looks like a bug) and click on Scan for Spyware, Adware, Malware...

Configuring SuperAntispyware

• Click on Preferences.
• In the tab General and Startup, make sure the box Start SuperAntispyware when Windows starts is unchecked. This will prevent SuperAntispyware from starting everytime, because it may interfere with other fixes that may be run.
• Navigate to the tab Scanning Control.
• Make sure only these boxes are checked:

Code:

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining
Scan Alternate Data Streams
Use Kernel Direct File Access (recommended)
Use Kernel Direct Registry Access (recommended)
Use Direct Disk Access (recommended)

• Click on Close.

Updating SuperAntispyware

• At the main window, click on Check for Updates....
• Wait for SuperAntispyware to be fully updated.

Scanning Time

• Boot into safe mode by repeatedly pressing the F8 key after you press the power button. If safe mode does not work, tell me and do the scan in normal mode.
• Launch SuperAntispyware.
• At the main window, click on Scan your Computer....
• Make sure all drives (excluding CD drives) are checked, select Perform Complete Scan, and then click on Next.
• Wait for the scan to complete, and then click on Next>. This will quarantine and remove all detected items.
• Reboot your computer.

Post A Log

• Launch SuperAntispyware
• Click on Preferences
• Navigate to the tab Statistics/Logs.
• Choose the latest scan log, and the click on View Log....
• Copy and paste the contents of the log here in your next post.

Also post a new HijackThis log.

Best Regards

 

Hey Cdavfrew..

My minds a lil dizzy with so many directions

Ok before i forget the file you asked for 'D85ADCE15B.sys' was not there. i searched in the specified location as well as entire C drive..

Well am installing SuperAntiSpyware and following the rest of your instructions.. will let you know the result..

Thanks..

 

Ok then. Don't worry about the file. Just scan with Superantispyware

 

Hi Cdavfrew,

Thanks for your patient hearing n help till now..

Giving below the SuperAntiSpyware scan log..

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/19/2008 at 09:25 AM

Application Version : 4.21.1004

Core Rules Database Version : 3571
Trace Rules Database Version: 1559

Scan type : Complete Scan
Total Scan Time : 09:06:52

Memory items scanned : 161
Memory threats detected : 0
Registry items scanned : 4855
Registry threats detected : 0
File items scanned : 76674
File threats detected : 0


Also here's the HijackThis log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:38 PM, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ffpsrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spider.exe
C:\Documents and Settings\Yuvraj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - C:\WINDOWS\system32\ffpsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

--
End of file - 4647 bytes

 

Hey yuvi

Please run HijackThis.

• Click on the button which says Main Menu, then Do a system scan only.
• Please wait for the scan to be completed.
• After the scan has completed, check the following entries.

Code:

R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)  
O2 - BHO: (no name) - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)   
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file) 
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - (no file)  
O3 - Toolbar: (no name) - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)

Click on the button Fix checked

NOTE:: Close all browsers before fixing anything.

What problems are left?

Best Regards

 

Hey Cdavfrew

Did as suggested. Scanned using HijackThis and fixed the problems as well..

I'll also give you a run down of the other problems m facing..

1. No sound when playing movies or videos online..
2. The file named Qoologic still remains on my C drive.

Waiting for your reply..

Regards

 

Hey yuvi

Follow the instructions on this page:
http://forums.majorgeeks.com/showthread.php?t=96081

Also, I assume that you are using Firefox as your browser, and there is no sound? How about Internet Explorer?

Many people have this problem with Firefox. Simply google "no sound firefox", and also look at this page: http://support.mozilla.com/en-US/kb/No+sound+in+Firefox

Best Regards

 

Hi Cdavfrew,

Thanks for your response.

Both the problems however still remain.. Qoofix does not find any instance of Qoologic even though i can see the file on my C drive.

The problem of sound not playing is very irritating.. infact IE doesnt play the sound either. Also the master volume control in QuickLauch also doesnt play the beep sound when i change the volume.

Pls advice.

Regards

 

Hey Cdavfrew,

There's this another thing i thot of askin you about..

I ve set this option of opening any folder by double clicking on it bt randomly folders r opening on single click itself.. infact this is happening in wmp too..

Kindly shed some light on what is the reason behind it..

Regards

 

In Internet Explorer
do this:
Tools > Internet Options > Advanced
on the scrollable part scroll down to Multimedia which should be 6th or 7th one on the list. Under that there should be a check box for play sounds on web pages. Enable that and tell me whether the sound comes back.

Also look here: http://support.microsoft.com/kb/307918

What happens when you try to delete the Qoologic file?

Try changing your mouse and see if this problem is still there. I had this problem too, and after replacing my mouse, it's good.

Best Regards