Automatic Updates Gets turned off

musthafa · 09-21-2008, 12:20 AM

Hi,

Automatic updates gets turned off whenever I log in to the system or explorer restarts.

This is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:54 PM, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Xampp\apache\bin\apache.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\xampp\filezillaftp\filezillaserver.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Xampp\apache\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Musthafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Softwares\Hi Jack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {2ACFC1BE-A534-4CF6-88E2-93F982E437AD} - C:\WINDOWS\system32\efcDTkjh.dll (file missing)
O2 - BHO: (no name) - {BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257} - C:\WINDOWS\system32\opnopPFX.dll (file missing)
O2 - BHO: {12dc63b1-a0ee-5b88-6de4-0053015fd89e} - {e98df510-3500-4ed6-88b5-ee0a1b36cd21} - C:\WINDOWS\system32\kuffld.dll
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DLD.EXE] D:\Program Files\Download Direct\DLD.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\uTorrent.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: kuffld.dll
O20 - Winlogon Notify: opnopPFX - opnopPFX.dll (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Xampp\apache\bin\apache.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINDOWS\Lic98Rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINDOWS\Lic98RmtD.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: mysql - Unknown owner - C:\Program Files\Xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6878 bytes

alba · 09-22-2008, 11:13 PM

Hi musthafa

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

=================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

musthafa · 09-24-2008, 10:01 AM

Hi Alba,

thanks for your response.

Here is my Combofix log:

ComboFix 08-09-22.06 - Musthafa 2008-09-24 21:44:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.531 [GMT 5.5:30]
Running from: E:\Downloads\ComboFix.exe
* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM47845201.txt
C:\WINDOWS\BM47845201.xml
C:\WINDOWS\system32\_004661_.tmp.dll
C:\WINDOWS\system32\_004662_.tmp.dll
C:\WINDOWS\system32\_004663_.tmp.dll
C:\WINDOWS\system32\_004664_.tmp.dll
C:\WINDOWS\system32\_004671_.tmp.dll
C:\WINDOWS\system32\_004672_.tmp.dll
C:\WINDOWS\system32\_004673_.tmp.dll
C:\WINDOWS\system32\_004674_.tmp.dll
C:\WINDOWS\system32\_004676_.tmp.dll
C:\WINDOWS\system32\_004677_.tmp.dll
C:\WINDOWS\system32\_004680_.tmp.dll
C:\WINDOWS\system32\_004681_.tmp.dll
C:\WINDOWS\system32\_004683_.tmp.dll
C:\WINDOWS\system32\_004684_.tmp.dll
C:\WINDOWS\system32\_004685_.tmp.dll
C:\WINDOWS\system32\_004687_.tmp.dll
C:\WINDOWS\system32\_004690_.tmp.dll
C:\WINDOWS\system32\_004691_.tmp.dll
C:\WINDOWS\system32\_004695_.tmp.dll
C:\WINDOWS\system32\_004696_.tmp.dll
C:\WINDOWS\system32\_004698_.tmp.dll
C:\WINDOWS\system32\_004701_.tmp.dll
C:\WINDOWS\system32\_004703_.tmp.dll
C:\WINDOWS\system32\_004704_.tmp.dll
C:\WINDOWS\system32\_004705_.tmp.dll
C:\WINDOWS\system32\_004706_.tmp.dll
C:\WINDOWS\system32\_004707_.tmp.dll
C:\WINDOWS\system32\_004710_.tmp.dll
C:\WINDOWS\system32\_004711_.tmp.dll
C:\WINDOWS\system32\_004712_.tmp.dll
C:\WINDOWS\system32\_004713_.tmp.dll
C:\WINDOWS\system32\_004714_.tmp.dll
C:\WINDOWS\system32\_004719_.tmp.dll
C:\WINDOWS\system32\_004721_.tmp.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\dao350.dll
C:\WINDOWS\system32\hjkTDcfe.ini
C:\WINDOWS\system32\kcpdhsrk.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\mixufmbk.ini
C:\WINDOWS\system32\oggaxxli.ini
C:\WINDOWS\system32\oledb32.dll
C:\WINDOWS\system32\qvnkmcvf.ini
C:\WINDOWS\system32\tyhcfqmo.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-23 22:52 . 2008-09-23 22:52 <DIR> d-------- C:\Documents and Settings\Musthafa\Application Data\skypePM
2008-09-23 22:52 . 2008-09-23 22:52 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-09-23 22:48 . 2008-09-23 22:48 <DIR> d-------- C:\Program Files\Skype
2008-09-23 22:48 . 2008-09-23 22:48 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-09-23 22:48 . 2008-09-24 00:48 <DIR> d-------- C:\Documents and Settings\Musthafa\Application Data\Skype
2008-09-23 22:48 . 2008-09-23 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-09-22 06:21 . 2008-09-22 06:38 <DIR> d-------- C:\Program Files\iLEAP
2008-09-20 11:59 . 2008-09-23 07:45 <DIR> d-------- C:\Program Files\MagicISO
2008-09-20 08:50 . 2008-09-20 08:52 <DIR> d-------- C:\Program Files\UltraISO
2008-09-20 05:36 . 2008-09-20 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-20 05:35 . 2008-09-20 05:35 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-17 23:19 . 2008-09-17 23:19 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-15 23:32 . 2008-09-15 23:32 <DIR> d-------- C:\Program Files\RapidLeecher
2008-09-10 22:57 . 2008-09-10 22:57 229,464 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-09-10 21:57 . 2008-09-10 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Adobe
2008-09-10 21:52 . 2008-09-10 21:54 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-09-10 21:51 . 2008-09-10 21:51 <DIR> d--h----- C:\Documents and Settings\Musthafa\InstallAnywhere
2008-09-08 22:07 . 2008-09-08 22:09 3,622 --a------ C:\WINDOWS\system32\R120794A090398S23090031
2008-09-06 19:53 . 2008-09-06 19:53 95 --a------ C:\WINDOWS\wininit.ini
2008-09-06 18:16 . 2008-09-08 10:05 <DIR> d-------- C:\Program Files\Spybot
2008-09-06 18:16 . 2008-09-07 11:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-06 13:23 . 2008-09-06 13:23 96,256 --a------ C:\WINDOWS\system32\shoyqcik.dll
2008-09-06 13:23 . 2008-09-06 13:23 96,256 --a------ C:\WINDOWS\system32\kuffld.dll
2008-09-06 13:13 . 2008-09-06 13:13 <DIR> d--hs---- C:\Documents and Settings\Musthafa\UserData
2008-09-05 22:52 . 2008-09-24 05:01 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-09-04 23:22 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-09-04 23:22 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-09-04 23:20 . 2008-09-04 23:20 <DIR> d-------- C:\Program Files\Bonjour
2008-09-04 22:54 . 2008-09-04 22:54 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 16:20 --------- d-----w C:\Documents and Settings\Musthafa\Application Data\uTorrent
2008-09-24 16:19 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-23 23:38 --------- d-----w C:\Program Files\Xampp
2008-09-23 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-20 06:38 --------- d-----w C:\Program Files\QuickTime
2008-09-11 14:30 --------- d-----w C:\Documents and Settings\Musthafa\Application Data\Sony
2008-09-06 12:08 --------- d-----w C:\Program Files\Google
2008-09-05 17:41 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-09-04 17:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-24 14:01 --------- d-----w C:\Program Files\Web Publish
2008-08-21 20:15 159,232 ----a-w C:\WINDOWS\MFUnWeb.EXE
2008-08-11 15:00 70,328 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-08-11 15:00 5,423 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-08-08 17:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 16:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-05 15:14 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-30 16:45 --------- d-----w C:\Documents and Settings\Musthafa\Application Data\Corel
2008-07-30 03:54 --------- d-----w C:\Program Files\Dell
2008-07-03 18:53 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-07-02 13:43 8 --sh--r C:\Documents and Settings\All Users\Application Data\F59C8567CA.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-02-02 36864]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-07-02 159744]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-16 137752]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-08 154392]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-08 133912]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-20 155648]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\Musthafa\Start Menu\Programs\Startup\
æTorrent.lnk - C:\Program Files\uTorrent\uTorrent.exe [2008-06-05 219952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= D:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 12:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-06 13:44 133104 C:\Documents and Settings\Musthafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-20 12:07 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"NBService"=3 (0x3)
"Creative Labs Licensing Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"DSBrokerService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"PSI_SVC_2"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Xampp\\apache\\bin\\apache.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 LogWatch;Event Log Watch;C:\WINDOWS\LogWatNT.exe [2001-08-29 49152]
R2 paldrv;paldrv;C:\WINDOWS\system32\pal_drv.sys [1998-10-07 4544]
R3 OEM02Afx;Provides a software interface to control audio effects of M08 Internal webcam.;C:\WINDOWS\system32\Drivers\OEM02Afx.sys [2007-01-10 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-03-20 234496]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 7424]
S2 Apache2.2;Apache2.2;C:\Program Files\Xampp\apache\bin\apache.exe [2008-06-14 17408]
S3 CA_LIC_CLNT;CA-License Client;C:\WINDOWS\Lic98Rmt.exe [2001-08-16 73728]
S3 CA_LIC_SRVR;CA-License Server;C:\WINDOWS\Lic98RmtD.exe [2001-09-19 73728]
S3 EraserUtilDrv10821;EraserUtilDrv10821;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e04969b-0723-11dd-ae37-001c23f92671}]
\Shell\AutoRun\command - none
\Shell\explore\Command - none
\Shell\open\Command - none

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b114400-0e02-11dd-ae45-001c23f92671}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cfcaa9cc-065c-11dd-ae36-001c23f92671}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d03aa488-32ed-11dd-ae8e-001c23f92671}]
\Shell\AutoRun\command - uxdeiect.com
\Shell\explore\Command - uxdeiect.com
\Shell\open\Command - uxdeiect.com
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Musthafa\Application Data\Mozilla\Firefox\Profiles\y04snl28.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - C:\Documents and Settings\Musthafa\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - D:\Program Files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 21:50:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Xampp\FileZillaFTP\FileZillaServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\hidfind.exe
C:\Program Files\DellTPad\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-09-24 21:54:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 16:23:52

Pre-Run: 29,702,246,400 bytes free
Post-Run: 29,661,536,256 bytes free

258 --- E O F --- 2008-07-12 04:05:39

------------------------------------------------------------------
and here is my HiJackThis log:
------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:04 PM, on 9/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\xampp\filezillaftp\filezillaserver.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Musthafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Softwares\Hi Jack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\uTorrent.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1222002626421
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Xampp\apache\bin\apache.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINDOWS\Lic98Rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINDOWS\Lic98RmtD.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: mysql - Unknown owner - C:\Program Files\Xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6790 bytes

musthafa · 09-24-2008, 10:02 AM

Hi Alba....

Now am able to switch on my automatic updates!!!!!

Great.....

Thanks alot..

alba · 09-24-2008, 10:36 AM

Hi musthafa

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

===============================================

Open notepad and carefully copy/paste all the text in the code box below into it:

Code:



http://www.techsupportforum.com/security-center/hijackthis-log-help/294322-automatic-updates-gets-turned-off.html#post1722188

Collect::
C:\WINDOWS\system32\shoyqcik.dll
C:\WINDOWS\system32\kuffld.dll

Look::
C:\WINDOWS\system32\R120794A090398S23090031

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

================================================

Establish an internet connection & perform an online scan with Internet Explorer at one of the following links

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:

ComboFix.txt
Kaspersky report
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

alba · 10-06-2008, 11:51 AM

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help