Infected by Trojon.Vundo.H. Not Able to Clean It.

**janeswami** · #1 15th May 2009, 14:09

Hi,

My computer has been infected with Trojon.Vundo.H virus and inspite of trying out multiple options it does not go away. I ran PC Tools Spyware Doctor, MalwareBytes, Symantec Antivirus to clean, but it keep coming back.

The Windows security center Virus protection also gets automatically turned off and I'm not able to turn it back on again.

I downloaded HijackThis software and tried removing through it, but no luck. Please see attached the HighJackThis log and also the log from Malwarebytes below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:05 AM, on 5/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Cisco VPN client\cvpnd.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\_integra\bin\ccmagent.exe
C:\Program Files\TightVNC\WinVNC.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_inte gra\bin\shstart.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 antivguardian.com
O1 - Hosts: 94.232.248.66 www.antivguardian.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: (no name) - {C2319637-003A-4B28-93A0-966814C49799} - c:\windows\system32\mklikqw.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ccApp] -
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1156965887437
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/stream.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.tvucricket.com/player/vjocx-en-black.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EA22132-BACD-480B-9DD9-54819F88A39C}: Domain = keane.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: tfixzl.dll ,
O20 - Winlogon Notify: gmbcvwou - C:\WINDOWS\SYSTEM32\mklikqw.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco VPN client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c:\_integra\bin\ccmagent.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
--
End of file - 11286 bytes

Malwarebytes' Anti-Malware 1.36
Database version: 2130
Windows 5.1.2600 Service Pack 3
5/15/2009 10:20:26 AM
mbam-log-2009-05-15 (10-19-33).txt
Scan type: Quick Scan
Objects scanned: 107847
Time elapsed: 5 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{c2319637-003a-4b28-93a0-966814c49799} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gmbcvwou (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c2319637-003a-4b28-93a0-966814c49799} (Trojan.Vundo.H) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\mklikqw.dll (Trojan.Vundo.H) -> No action taken.

Thanks,
Swami.

**sjb007** · #2 15th May 2009, 15:56

Howdy there and welcome to Computer Juice

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

===============================

Go to Start menu > Select Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

===============================

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop and copy and paste this in your next reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Post back with the contents of all 3 logs in your next reply

**janeswami** · #3 15th May 2009, 20:23

Hi Steve,

Please find the 3 logs messages below:

ComboFix 09-05-15.01 - Swami 05/15/2009 22:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.535 [GMT -4:00]
Running from: c:\documents and settings\swami\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\swami\Application Data\wiaserva.log
.
((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.
2009-05-16 00:58 . 2009-05-16 00:58 61440 ----a-w c:\windows\system32\drivers\khqdjzja.sys
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\swami\Application Data\SUPERAntiSpyware.com
2009-05-15 03:14 . 2009-05-15 03:14 -------- d--h--w C:\VJVod_Cache
2009-05-14 16:17 . 2009-05-14 16:17 -------- d-----w c:\program files\Trend Micro
2009-05-10 19:50 . 2009-05-10 19:51 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Application Data\orotyqae
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Local Settings\Application Data\orotyqae
2009-05-03 21:37 . 2009-05-03 21:37 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft
2009-05-03 03:50 . 2009-05-03 03:58 -------- d-----w c:\documents and settings\swami\Application Data\Move Networks
2009-05-02 17:07 . 2009-05-02 17:07 -------- d-----w c:\windows\system32\nagasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-16 00:26 . 2007-06-11 16:43 16 --sh--r C:\MSCIOTL.SYS
2009-05-16 00:26 . 2007-06-11 16:43 16 --sh--r c:\windows\MSCIOTL.SYS
2009-05-16 00:25 . 2007-06-11 16:43 8416 ----a-w c:\windows\system32\drivers\CDProbe.SYS
2009-05-15 23:47 . 2006-08-30 18:49 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-15 14:10 . 2008-10-20 21:46 -------- d-----w c:\program files\Spyware Doctor
2009-05-14 14:35 . 2006-09-08 19:39 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-13 23:46 . 2006-09-11 13:16 -------- d-----w c:\program files\Cisco VPN client
2009-05-02 17:13 . 2008-11-07 01:30 -------- d-----w c:\program files\TVAnts
2009-04-26 01:14 . 2009-01-30 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-01-30 06:06 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-30 06:06 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 21:06 . 2009-02-28 21:06 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-27 02:56 . 2008-06-01 16:22 45272 ----a-w c:\documents and settings\swami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2319637-003A-4B28-93A0-966814C49799}]
2004-08-04 12:00 103936 ----a-w c:\windows\system32\mklikqw.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-07-27 68856]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-05-14 396288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ccApp"="-" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gmbcvwou]
2004-08-04 12:00 103936 ----a-w c:\windows\system32\mklikqw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"7195:TCP"= 7195:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shoc kprf.sys [9/7/2006 4:33 PM 85760]
R0 zxbtvjss;zxbtvjss;c:\windows\system32\drivers\zxbt vjss.sys [8/4/2004 8:00 AM 23424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\Shoc kMgr.sys [9/7/2006 4:33 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRI F.SYS [9/8/2006 2:23 PM 4442]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
R2 smefs;SMEFileSystem;c:\windows\system32\drivers\sm efs.sys [6/11/2007 12:41 PM 20508]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProb e.SYS [6/11/2007 12:43 PM 8416]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedr v.sys [6/11/2007 12:41 PM 9516]
S2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys --> c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/26/2008 12:36 PM 33752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/20/2008 5:46 PM 356920]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 4:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 3:42 PM 73600]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrv10910
*Deregistered* - mchInjDrv
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ncshpgyk
.
Contents of the 'Scheduled Tasks' folder
2009-05-16 c:\windows\Tasks\At1.job
- c:\windows\system32\mklikqw.dll [2004-08-04 12:00]
2009-05-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-14 18:16]
2008-11-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-08 08:12]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Notify-AtiExtEvent - (no file)

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\swami\Application Data\Mozilla\Firefox\Profiles\xc0kh7hp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 22:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c cEvtMgr]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S AVRT]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S NDSrvc]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S YMTDI]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1348)
c:\_integra\bin\smegina.dll
c:\_integra\bin\report.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2009-05-16 22:18
ComboFix-quarantined-files.txt 2009-05-16 02:18
Pre-Run: 36,771,352,576 bytes free
Post-Run: 36,864,704,512 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
179 --- E O F --- 2009-05-13 23:02

Add-Remove Programs log

Access Help
Acrobat.com
Adobe AIR
Adobe Flash Player ActiveX
Adobe Media Player
Adobe Reader 8.1.2
Atmel TPM Driver 3.0.0.15
AutoUpdate
Cisco Aironet PEAP Supplicant
Compatibility Pack for the 2007 Office system
CutePDF Printer Setup
DivX Codec
DivX Converter
DivX Player
DivX Web Player
getPlus(R) for Adobe
Google Toolbar for Internet Explorer
Google Updater
Help Center
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate 2.6 (Symantec Corporation)
Lotus Notes
Malwarebytes' Anti-Malware
mCore
mDriver
Message Center
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Communicator 2005
Microsoft Office Live Meeting 2005
Microsoft Office Live Meeting 2007
Microsoft Office Live Meeting Add-in Pack
Microsoft Office Live Meeting PowerPoint Add-In
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft Organization Chart 2.0
mMHouse
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.1)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
Novell Client for Windows
PC-Doctor 5 for Windows
Picasa 2
Productivity Center Supplement for ThinkPad
RecordNow Audio
RecordNow Copy
RecordNow Data
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sierra Wireless MC5720 Package for Access Connections
Software Installer
Sonic DLA
Sonic Express Labeler
Sonic Update Manager
SopCast 3.0.3
SoundMAX
Spyware Doctor 6.0
SUPERAntiSpyware Free Edition
Symantec AntiVirus
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Keyboard Customizer Utility
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkVantage Active Protection System
ThinkVantage Away Manager
TightVNC 1.2.8
TrackPoint Accessibility Features
TVAnts 1.0
TVUPlayer 2.3.6.1
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VeohTV BETA
VPN Client
WebFldrs XP
Western Australian Time Zone Update
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Messenger 5.1
Windows XP Service Pack 3
WinRAR archiver
WinZip

Gmer.Log

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-15 23:18:34
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xA440B794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xA440BF1E]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA0ABEDF0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xA440A384]
Code \??\C:\DOCUME~1\swami\LOCALS~1\Temp\catchme.sys pIofCallDriver
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 9AB4ED20
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Par ameters\Keys\0014a4d7b9c6
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Paramet ers\Keys\0014a4d7b9c6
---- EOF - GMER 1.0.15 ----

**sjb007** · #4 16th May 2009, 10:01

Hi there janeswami

Good work in getting the logs to me. The Combofix log has uncovered a couple of items that need attention.....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
c:\windows\system32\drivers\khqdjzja.sys
c:\windows\system32\mklikqw.dll
c:\windows\system32\tphklock.dll
c:\windows\system32\drivers\zxbtvjss.sys

DirLook::
c:\documents and settings\swami\Application Data\orotyqae
c:\documents and settings\swami\Local Settings\Application Data\orotyqae

Driver::
zxbtvjss
khqdjzja

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2319637-003A-4B28-93A0-966814C49799}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gmbcvwou]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

=================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove the following versions of Java.

Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

Leave this one in -> Java(TM) 6 Update 11

Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.Next go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
  Now click on the Update Tab > Update Now. An update should begin; follow the prompts
- Click OK to leave the Java Control Panel.

=================================

Please update and generate a fresh MBAM log for me

Start MalwareBytes AntiMalware
Update Malwarebytes' Anti-Malware
Select the Update tab
Click Update
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

=================================

I want you to run an online scan at kaspersky. It can take some time, so please be patient and allow it to run it's full course:

**Vista users - right click IE/Firefox icon and run as administrator

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Please include in your next post:
New combofix log
MBAM Log
Kaspersky log

**janeswami** · #5 17th May 2009, 18:50

Hi Steve,

Find below the required logs.

ComboFix 09-05-15.01 - Swami 05/17/2009 18:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.593 [GMT -4:00]
Running from: c:\documents and settings\swami\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\swami\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FILE ::
c:\windows\system32\drivers\khqdjzja.sys
c:\windows\system32\drivers\zxbtvjss.sys
c:\windows\system32\mklikqw.dll
c:\windows\system32\tphklock.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\zxbtvjss.sys
c:\windows\system32\mklikqw.dll
c:\windows\system32\tphklock.dll
c:\windows\Tasks\At1.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ZXBTVJSS
-------\Service_zxbtvjss

((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-15 23:47 . 2009-05-16 03:25 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\swami\Application Data\SUPERAntiSpyware.com
2009-05-15 03:14 . 2009-05-15 03:14 -------- d--h--w C:\VJVod_Cache
2009-05-14 16:17 . 2009-05-14 16:17 -------- d-----w c:\program files\Trend Micro
2009-05-10 19:50 . 2009-05-10 19:51 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Application Data\orotyqae
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Local Settings\Application Data\orotyqae
2009-05-03 21:37 . 2009-05-03 21:37 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft
2009-05-03 03:50 . 2009-05-03 03:58 -------- d-----w c:\documents and settings\swami\Application Data\Move Networks
2009-05-02 17:07 . 2009-05-02 17:07 -------- d-----w c:\windows\system32\nagasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-17 22:27 . 2007-06-11 16:43 16 --sh--r c:\windows\MSCIOTL.SYS
2009-05-17 22:27 . 2007-06-11 16:43 16 --sh--r C:\MSCIOTL.SYS
2009-05-17 22:27 . 2007-06-11 16:43 8416 ----a-w c:\windows\system32\drivers\CDProbe.SYS
2009-05-17 22:22 . 2004-08-04 12:00 23424 ----a-w c:\windows\system32\drivers\zvjtctfl.sys
2009-05-17 22:13 . 2006-09-11 13:16 -------- d-----w c:\program files\Cisco VPN client
2009-05-15 23:47 . 2006-08-30 18:49 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-15 14:10 . 2008-10-20 21:46 -------- d-----w c:\program files\Spyware Doctor
2009-05-14 14:35 . 2006-09-08 19:39 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-02 17:13 . 2008-11-07 01:30 -------- d-----w c:\program files\TVAnts
2009-04-26 01:14 . 2009-01-30 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-01-30 06:06 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-30 06:06 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 21:06 . 2009-02-28 21:06 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-27 02:56 . 2008-06-01 16:22 45272 ----a-w c:\documents and settings\swami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))) )))))))
.
---- Directory of c:\documents and settings\swami\Application Data\orotyqae ----
2009-05-09 02:25 . 2009-05-09 02:25 698 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\prefs.js
2009-05-09 02:13 . 2009-05-09 02:13 4512 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\pluginreg. dat
2009-05-09 02:13 . 2009-05-09 02:13 2048 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\webappssto re.sqlite
2009-05-09 02:13 . 2009-05-09 02:13 569 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\localstore .rdf
2009-05-09 02:13 . 2009-05-09 02:13 4096 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\formhistor y.sqlite
2009-05-09 02:12 . 2009-05-09 02:25 0 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\places.sql ite-journal
2009-05-09 02:12 . 2009-05-09 02:25 131072 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\places.sql ite
2009-05-09 02:12 . 2009-05-09 02:12 16384 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\key3.db
2009-05-09 02:12 . 2009-05-09 02:25 65536 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\cert8.db
2009-05-09 02:12 . 2009-05-09 02:12 16384 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\secmod.db
2009-05-09 02:12 . 2009-05-09 02:25 2048 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\cookies.sq lite
2009-05-09 02:11 . 2009-05-09 02:11 2048 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\permission s.sqlite
2009-05-09 02:11 . 2009-05-09 02:11 127820 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\compreg.da t
2009-05-09 02:11 . 2009-05-09 02:11 96173 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\xpti.dat
2009-05-09 02:11 . 2009-05-09 02:11 207 ----a-w c:\documents and settings\swami\Application Data\orotyqae\Profiles\3jf8ntj9.default\compatibil ity.ini
2009-05-09 02:11 . 2009-05-09 02:11 111 ----a-w c:\documents and settings\swami\Application Data\orotyqae\profiles.ini
---- Directory of c:\documents and settings\swami\Local Settings\Application Data\orotyqae ----
2009-05-09 02:12 . 2009-05-09 02:25 32768 ----a-w c:\documents and settings\swami\Local Settings\Application Data\orotyqae\Profiles\3jf8ntj9.default\urlclassif ier3.sqlite
2009-05-09 02:11 . 2009-05-09 02:13 438116 ----a-w c:\documents and settings\swami\Local Settings\Application Data\orotyqae\Profiles\3jf8ntj9.default\XPC.mfl

((((((((((((((((((((((((((((( SnapShot@2009-05-16_02.17.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-17 22:27 . 2009-05-17 22:27 16384 c:\windows\Temp\Perflib_Perfdata_45c.dat
+ 2004-08-04 12:00 . 2009-05-17 15:34 64774 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-16 00:30 64774 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-17 15:34 409800 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-16 00:30 409800 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-07-27 68856]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-05-14 396288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ccApp"="-" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"7195:TCP"= 7195:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shoc kprf.sys [9/7/2006 4:33 PM 85760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\Shoc kMgr.sys [9/7/2006 4:33 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRI F.SYS [9/8/2006 2:23 PM 4442]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
R2 smefs;SMEFileSystem;c:\windows\system32\drivers\sm efs.sys [6/11/2007 12:41 PM 20508]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProb e.SYS [6/11/2007 12:43 PM 8416]
R3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [5/13/2009 3:26 PM 101936]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedr v.sys [6/11/2007 12:41 PM 9516]
S0 cattx;cattx; [x]
S2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys --> c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/26/2008 12:36 PM 33752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/20/2008 5:46 PM 356920]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 4:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 3:42 PM 73600]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ZXBTVJSS
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ncshpgyk
.
Contents of the 'Scheduled Tasks' folder
2009-05-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-14 18:16]
2008-11-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-08 08:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\swami\Application Data\Mozilla\Firefox\Profiles\xc0kh7hp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 18:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c cEvtMgr]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S AVRT]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S NDSrvc]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S YMTDI]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1344)
c:\_integra\bin\smegina.dll
c:\_integra\bin\report.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'Explorer.exe'(2144)
c:\windows\system32\PROCHLP.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\IPSSVC.EXE
c:\centenn.ial\AUDIT\CAgent32.exe
c:\centenn.ial\AUDIT\xferwan.exe
c:\program files\Cisco VPN client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\windows\system32\wdfmgr.exe
c:\_integra\bin\ccmagent.exe
c:\program files\TightVNC\WinVNC.exe
c:\_integra\bin\shstart.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiadap.exe
.
************************************************** ************************
.
Completion time: 2009-05-17 18:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-17 22:31
ComboFix2.txt 2009-05-16 02:18
Pre-Run: 36,609,515,520 bytes free
Post-Run: 36,702,584,832 bytes free
228 --- E O F --- 2009-05-13 23:02

Malwarebytes log
Malwarebytes' Anti-Malware 1.36
Database version: 2145
Windows 5.1.2600 Service Pack 3
5/17/2009 7:02:06 PM
mbam-log-2009-05-17 (19-02-06).txt
Scan type: Quick Scan
Objects scanned: 108122
Time elapsed: 3 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 17, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 18, 2009 01:59:08
Records in database: 2189198
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
Scan statistics:
Files scanned: 50185
Threat name: 3
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 01:28:08

File name / Threat name / Threats count
WinVNC.exe\WinVNC.exe/WinVNC.exe\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\TightVNC\WinVNC.exe/C:\Program Files\TightVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\TightVNC\VNCHOOKS.DLL/C:\Program Files\TightVNC\VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\TightVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-17_18.22.48.ZIP Infected: Trojan.Win32.BHO.ext 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NDV99H5U\install[1].exe Infected: Trojan-Downloader.Win32.Mufanom.jg 1
The selected area was scanned.

Thanks,
Swami.

**sjb007** · #6 18th May 2009, 08:29

Hi there

Good work, so far so good. Things are looking better.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NDV99H5U\install[1].exe
c:\windows\system32\drivers\zvjtctfl.sys

NetSvcs::
ncshpgyk

Driver::
cattx

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

Also update me on how things are running now...

**janeswami** · #7 18th May 2009, 10:02

Hi Steve,

Please see below the latest ComboFix log:

ComboFix 09-05-15.01 - Swami 05/18/2009 12:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.558 [GMT -4:00]
Running from: c:\documents and settings\swami\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\swami\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FILE ::
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NDV99H5U\install[1].exe
c:\windows\system32\drivers\zvjtctfl.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NDV99H5U\install[1].exe
c:\windows\system32\drivers\zvjtctfl.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_cattx

((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.
2009-05-18 14:32 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-17 22:47 . 2009-05-17 22:47 38344 ---ha-w c:\windows\system32\mlfcache.dat
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-15 23:47 . 2009-05-16 03:25 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\swami\Application Data\SUPERAntiSpyware.com
2009-05-15 03:14 . 2009-05-15 03:14 -------- d--h--w C:\VJVod_Cache
2009-05-14 16:17 . 2009-05-14 16:17 -------- d-----w c:\program files\Trend Micro
2009-05-10 19:50 . 2009-05-10 19:51 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Application Data\orotyqae
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Local Settings\Application Data\orotyqae
2009-05-03 21:37 . 2009-05-03 21:37 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft
2009-05-03 03:50 . 2009-05-03 03:58 -------- d-----w c:\documents and settings\swami\Application Data\Move Networks
2009-05-02 17:07 . 2009-05-02 17:07 -------- d-----w c:\windows\system32\nagasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-18 16:51 . 2007-06-11 16:43 16 --sh--r c:\windows\MSCIOTL.SYS
2009-05-18 16:51 . 2007-06-11 16:43 16 --sh--r C:\MSCIOTL.SYS
2009-05-18 16:51 . 2007-06-11 16:43 8416 ----a-w c:\windows\system32\drivers\CDProbe.SYS
2009-05-18 03:29 . 2006-09-11 13:16 -------- d-----w c:\program files\Cisco VPN client
2009-05-17 22:57 . 2007-07-05 23:58 -------- d-----w c:\program files\Java
2009-05-17 22:51 . 2007-07-14 01:14 -------- d-----w c:\program files\Google
2009-05-15 23:47 . 2006-08-30 18:49 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-15 14:10 . 2008-10-20 21:46 -------- d-----w c:\program files\Spyware Doctor
2009-05-14 14:35 . 2006-09-08 19:39 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-02 17:13 . 2008-11-07 01:30 -------- d-----w c:\program files\TVAnts
2009-04-26 01:14 . 2009-01-30 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-01-30 06:06 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-30 06:06 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-09 09:19 . 2008-12-19 17:30 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 21:06 . 2009-02-28 21:06 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-27 02:56 . 2008-06-01 16:22 45272 ----a-w c:\documents and settings\swami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-16_02.17.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-18 16:51 . 2009-05-18 16:51 16384 c:\windows\Temp\Perflib_Perfdata_234.dat
- 2004-08-04 12:00 . 2009-05-16 00:30 64774 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-18 01:35 64774 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-18 01:35 409800 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-16 00:30 409800 c:\windows\system32\perfh009.dat
+ 2008-10-16 18:07 . 2008-10-16 18:07 208744 c:\windows\system32\muweb.dll
- 2008-12-19 17:30 . 2008-12-19 17:30 148888 c:\windows\system32\javaws.exe
+ 2009-05-17 22:57 . 2009-03-09 09:19 148888 c:\windows\system32\javaws.exe
+ 2009-05-17 22:57 . 2009-03-09 09:19 144792 c:\windows\system32\javaw.exe
- 2008-12-19 17:30 . 2008-12-19 17:30 144792 c:\windows\system32\javaw.exe
+ 2009-05-17 22:57 . 2009-03-09 09:19 144792 c:\windows\system32\java.exe
- 2008-12-19 17:30 . 2008-12-19 17:30 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-05-14 396288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ccApp"="-" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"7195:TCP"= 7195:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shoc kprf.sys [9/7/2006 4:33 PM 85760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\Shoc kMgr.sys [9/7/2006 4:33 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRI F.SYS [9/8/2006 2:23 PM 4442]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
R2 smefs;SMEFileSystem;c:\windows\system32\drivers\sm efs.sys [6/11/2007 12:41 PM 20508]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProb e.SYS [6/11/2007 12:43 PM 8416]
R3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [5/17/2009 11:33 PM 101936]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedr v.sys [6/11/2007 12:41 PM 9516]
S2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys --> c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/26/2008 12:36 PM 33752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/20/2008 5:46 PM 356920]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 4:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 3:42 PM 73600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ncshpgyk
.
Contents of the 'Scheduled Tasks' folder
2008-11-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-08 08:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\swami\Application Data\Mozilla\Firefox\Profiles\xc0kh7hp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 12:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c cEvtMgr]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S AVRT]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S NDSrvc]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S YMTDI]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1360)
c:\_integra\bin\smegina.dll
c:\_integra\bin\report.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'Explorer.exe'(2304)
c:\windows\system32\PROCHLP.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\IPSSVC.EXE
c:\centenn.ial\AUDIT\CAgent32.exe
c:\centenn.ial\AUDIT\xferwan.exe
c:\program files\Cisco VPN client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\windows\system32\wdfmgr.exe
c:\_integra\bin\ccmagent.exe
c:\program files\TightVNC\WinVNC.exe
c:\windows\system32\wscntfy.exe
c:\_integra\bin\shstart.exe
.
************************************************** ************************
.
Completion time: 2009-05-18 12:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-18 16:54
ComboFix2.txt 2009-05-17 22:31
ComboFix3.txt 2009-05-16 02:18
Pre-Run: 36,572,176,384 bytes free
Post-Run: 36,741,251,072 bytes free
203 --- E O F --- 2009-05-13 23:02

Things are much better now, but the only problem , I'm seeing is that the Windows Security alert in my status bar still shows up as a red colored sheild with a X mark and when I open it up it still shows my VIRUS Protection as Off and I'm not able to turn it back on. It says that my Symantec Antivirus Coporate edition is turned off.

Thanks,
Swami.

**sjb007** · #8 18th May 2009, 11:17

Hi there Jane

Please download and run this tool from Kaspersky-> Win32.Kido Removal tool
Save the file to your desktop and extract the contents into a folder
Open the folder you extracted the file and double click on KK.exe
The file will then open up and run in a black DOS window
Once the tool is finished do not close the window!
Instead do this.....
Right click on the window containing the results and select the option "Select All"
press "ctrl & c" to copy the results
Now paste the resullts into your next reply

**janeswami** · #9 18th May 2009, 17:05

Hi Steve,

Find below the log from KK.exe run

Net-Worm.Win32.Kido removing tool, Kaspersky Lab 2009
version 3.4.7 May 5 2009 14:39:10
scanning jobs ...
scanning processes ...
scanning threads ...
scanning modules in svchost.exe...
scanning modules in services.exe...
scanning modules in explorer.exe...
scanning C:\WINDOWS\system32 ...
scanning C:\Program Files\Internet Explorer\ ...
scanning C:\Program Files\Movie Maker\ ...
scanning C:\Program Files\Windows Media Player\ ...
scanning C:\Program Files\Windows NT\ ...
scanning C:\Documents and Settings\swami\Application Data ...
scanning C:\WINDOWS\TEMP\ ...
completed
Infected jobs: 0
Infected files: 0
Infected threads: 0
Spliced functions: 0
Cured files: 0
Fixed registry keys: 0

Thanks,
Swami.

**sjb007** · #10 18th May 2009, 21:24

Hi there

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Code:

@ECHO OFF
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v netsvcs  > results.txt
pause

Post back with the log it produces