Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Constant Pop Ups on IE - Smitfraud c.coreservices
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 02-10-2008, 10:48 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 8
OS: XP SP2


Smile Constant Pop Ups on IE - Smitfraud c.coreservices
Hi,

I have this malaware/crapware installed on my system when I installed a bootleg copy of AVG 7.5 anti-virus/firewall program off the net. I guess I learnt my lesson. I almost always use Firefox to browse the internet while the pop ups are on IE. I ran other scans like smitfraudfix and smitrem etc. in the safe mode followed by AntiSpyware Blaster, Spybot etc. but haven't had much success. I used HijackThis prior to turning to tis forum for help,whose logs I had posted in my old thread. Following Go The Power's 5-step process I am posting the logs of my scans - Panda and DSS in this new thread. Sorry for my delay but I was out for the weekend and just came back today.

Attached are the log files extra.txt and Activescan.txt
I now leave it in your capable hands. Here is the main.txt from the DSS scan:

Deckard's System Scanner v20071014.68
Run by Vikram Palakodety on 2008-02-11 00:22:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-02-11 05:22:51 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 86% (more than 75%).


-- HijackThis (run as Vikram Palakodety.exe) -----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:53 AM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\system32\rundll32.exe
C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.1.0\Db_1\jdk\bin\java.exe
c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\BtUsrBdg.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Azureus\Azureus.exe
C:\Documents and Settings\Vikram Palakodety\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\VIKRAM~1\Desktop\Vikram Palakodety.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: msdtc32 - C:\WINDOWS\SYSTEM32\msdtc32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: OracleCSService - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - C:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9976 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R1 pxhelp200 - c:\windows\system32\drivers\pxhelp200.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 Stltrk2k - c:\windows\system32\drivers\stltrk2k.sys <Not Verified; SCM Microsystems Inc.; Support Driver for WINNT Based Applications>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 BTCOMM - c:\windows\system32\drivers\btcomm.sys <Not Verified; Windigo Systems; >
R3 BTKRNBDG (Bluetooth COM Bridge) - c:\windows\system32\drivers\btkrnbdg.sys <Not Verified; Windigo Systems; >
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 vad_multi (Windigo Virtual Audio Device (WDM)) - c:\windows\system32\drivers\vadmulti.sys <Not Verified; Windigo Systems; >

S3 CA561 (ICatch (VI) PC Camera) - c:\windows\system32\drivers\spca561.sys (file missing)
S3 CoachUsb (Digital Camera on USB) - c:\windows\system32\drivers\coachusb.sys (file missing)
S3 CSRBC01 (%CSRBC01.SvcDesc%) - c:\windows\system32\drivers\csrbc01.sys <Not Verified; Windigo; Windigo USB Device Driver>
S3 DSCVc (Video Capture) - c:\windows\system32\drivers\coachvc.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys (file missing)
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LogWatch (Event Log Watch) - c:\windows\logwatnt.exe
R2 OracleCSService - c:\oracle\product\10.1.0\db_1\bin\ocssd.exe service
R2 OracleOraDb10g_home1iSQL*Plus - c:\oracle\product\10.1.0\db_1\bin\isqlplussvc.exe <Not Verified; Oracle; IPlusSvce>
R2 OracleOraDb10g_home1TNSListener - c:\oracle\product\10.1.0\db_1\bin\tnslsnr (file missing)
R2 OracleServiceORCL - c:\oracle\product\10.1.0\db_1\bin\oracle.exe orcl <Not Verified; Oracle Corporation; >

S2 OracleDBConsoleorcl - c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe <Not Verified; Oracle Corporation; >
S3 OracleOraDb10g_home1SNMPPeerEncapsulator - c:\oracle\product\10.1.0\db_1\bin\encsvc.exe
S3 OracleOraDb10g_home1SNMPPeerMasterAgent - c:\oracle\product\10.1.0\db_1\bin\agntsvc.exe
S4 OracleJobSchedulerORCL - c:\oracle\product\10.1.0\db_1\bin\extjob.exe orcl


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\BD6C8F0081221400
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\BD6C8F0081221400
Service: NIC1394

Class GUID: {4D36E970-E325-11CE-BFC1-08002BE10318}
Description: M-Systems DiskOnChip 2000
Device ID: ROOT\MTD\0000
Manufacturer: M-Systems Flash Disk Pioneers
Name: M-Systems DiskOnChip 2000
PNP Device ID: ROOT\MTD\0000
Service: tffsport


-- Scheduled Tasks -------------------------------------------------------------

2006-03-27 20:56:42 324 --a------ C:\WINDOWS\Tasks\XoftSpy.job


-- Files created between 2008-01-11 and 2008-02-11 -----------------------------

2008-02-11 00:18:58 0 d-------- C:\WINDOWS\LastGood
2008-02-11 0027 0 d-------- C:\Program Files\SpywareBlaster
2008-02-10 21:35:16 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-10 21:34:42 8576 --a------ C:\WINDOWS\system32\drivers\wbdhebdrrvmw.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-10 13:46:31 0 d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-10 13:46:31 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-10 13:40:40 0 d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-10 13:39:56 0 d-------- C:\Program Files\Microsoft SDKs
2008-02-10 13:37:20 0 d-------- C:\Program Files\MSBuild
2008-02-10 13:37:07 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-02-10 13:36:56 0 d-------- C:\Program Files\Reference Assemblies
2008-02-10 13:28:47 0 d-------- C:\Program Files\MSXML 6.0
2008-02-10 13:15:28 0 d-------- C:\3ef7c5c1e4e1bcb394ca19e091441f
2008-02-10 13:14:10 0 d-------- C:\Program Files\Microsoft Silverlight
2008-02-10 12:40:25 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 23:13:09 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 23:13:09 3457 --a------ C:\WINDOWS\unins000.dat
2008-02-07 01:51:39 0 d-------- C:\Program Files\RogueRemover FREE
2008-02-05 21:13:30 5632 --a------ C:\WINDOWS\system32\msdtc32.dll <Not Verified; Microsoft Corporation; MSDTC32.DLL>
2008-02-05 21:13:30 56 --a------ C:\mscrypt.bat
2008-02-05 21:13:30 10240 --a------ C:\info.exe
2008-02-03 21:38:59 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-03 21:38:51 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 21:38:50 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\SUPERAntiSpyware.com
2008-02-03 21:27:23 2928 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 21:27:10 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 21:27:10 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-03 21:27:10 83456 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-02-03 21:27:10 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-03 21:27:10 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-02-03 21:27:10 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-03 21:27:10 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 15:45:13 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\TVU Networks
2008-02-03 15:45:13 0 d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-02-02 1647 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 16:10:46 274432 --a------ C:\WINDOWS\system32\libcurl.dll
2008-01-22 08:57:14 0 d-------- C:\Program Files\Lavasoft
2008-01-22 08:57:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 08:56:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-11 19:19:00 86144 --a------ C:\WINDOWS\system32\drivers\pxhelp200.sys


-- Find3M Report ---------------------------------------------------------------

2008-02-11 00:25:48 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\Azureus
2008-02-10 20:36:28 0 d-------- C:\Program Files\WinSCP
2008-02-10 20:28:15 0 d-------- C:\Program Files\GoogleAFE
2008-02-10 20:28:14 0 d-------- C:\Program Files\Google
2008-02-10 20:26:44 0 d-------- C:\Program Files\Digital Line Detect
2008-02-10 17:42:15 0 d-------- C:\Program Files\Winamp Remote
2008-02-08 22:19:20 0 d-------- C:\Program Files\Real
2008-02-07 01:57:37 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\Adobe
2008-02-05 21:13:30 136 --a------ C:\Documents and Settings\Vikram Palakodety\Application Data\odbcbase.ocx
2008-02-04 00:45:47 0 d-------- C:\Program Files\Common Files
2008-02-04 00:45:44 0 d-------- C:\Program Files\Dazzle
2008-02-03 11:23:24 0 d-------- C:\Program Files\Dell
2008-02-02 16:49:07 0 d-------- C:\Program Files\FLStudio4
2008-02-02 16:25:57 0 d-------- C:\Program Files\DivX
2008-02-02 16:21:57 0 d-------- C:\Program Files\Common Files\Corel
2008-01-16 23:41:03 7362 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-16 23:41:03 152 -r-hs---- C:\WINDOWS\system32\0ED3398088.sys
2008-01-16 23:40:53 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\Corel
2008-01-16 23:39:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-02 13:37:10 0 d-------- C:\Program Files\Azureus
2007-12-16 14:40:39 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\SmartFTP
2007-12-16 13:33:10 0 d-------- C:\Program Files\Direct WAV MP3 Splitter
2007-12-16 01:21:10 0 d-------- C:\Program Files\Java
2007-12-03 20:33:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-03 20:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-03 20:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-03 20:33:16 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-11-29 17:30:28 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 17:28:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-11-29 17:28:24 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-11-28 16:52:32 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/29/2005 05:56 AM]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 06:33 AM]
"ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [09/20/2003 02:23 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"BTUSRBDG"="BtUsrBdg.exe" [11/05/2003 10:21 PM C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [04/15/2003 10:48 AM C:\WINDOWS\system32\BTSetBootKey.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/28/2006 08:25 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 06:00 AM C:\WINDOWS\system32\bthprops.cpl]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 04:22 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [02/11/2007 12:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/16/2006 12:54 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [06/18/2003 12:00 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [01/07/2008 03:02 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/09/2007 10:17 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2/21/2006 11:07:28 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
Startup.exe [10/16/2003 4:37:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msdtc32]
msdtc32.dll 02/05/2008 09:13 PM 5632 C:\WINDOWS\system32\msdtc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

*Newly Created Service* - SDTHOOK
*Newly Created Service* - WBDHEBDRRVMW



-- End of Deckard's System Scanner: finished at 2008-02-11 00:26:42 ------------

Thanks much,
Mahabore
Attached Files
File Type: txt Activescan.txt (10.1 KB, 0 views)
File Type: txt extra.txt (23.6 KB, 0 views)
mahabore is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-15-2008, 02:08 PM   #2 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
Hello and welcome to TSF.

Apologies for the long delay in response. We have a large number of HijackThis logs to handle and it’s taking us longer to catch up. If you haven’t received help elsewhere already and still require assistance please post a fresh HijackThis log and I’ll be happy to help you.

Thanks for your patience.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2008, 10:51 AM   #3 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 8
OS: XP SP2


Thumbs Up Re: Constant Pop Ups on IE - Smitfraud c.coreservices
Hi amateu r,

Thanks for the update. Here are my logs from the scans. As done previously, here's the main.txt from the dss scan:

Deckard's System Scanner v20071014.68
Run by Vikram Palakodety on 2008-02-16 12:44:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Vikram Palakodety.exe) -----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:13 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\WINDOWS\LogWatNT.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.1.0\Db_1\jdk\bin\java.exe
c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Deckard\System Scanner\dss.exe
C:\DOCUME~1\VIKRAM~1\Desktop\Vikram Palakodety.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC2Me] C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe /auto
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: msdtc32 - C:\WINDOWS\SYSTEM32\msdtc32.dll
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: OracleCSService - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - C:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9301 bytes

-- Files created between 2008-01-16 and 2008-02-16 -----------------------------

2008-02-15 20:28:25 947472 --a------ C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-02-15 20:28:24 0 d-------- C:\Program Files\1stWORKS
2008-02-14 00:08:04 0 d-------- C:\Documents and Settings\Guest\Application Data\Adobe
2008-02-14 00:07:18 0 d-------- C:\Documents and Settings\Guest\Application Data\Mozilla
2008-02-14 0030 0 d-------- C:\Documents and Settings\Guest\Application Data\Macromedia
2008-02-14 0028 0 d-------- C:\Documents and Settings\Guest\Application Data\GTek
2008-02-14 0026 0 d-------- C:\Documents and Settings\Guest\Application Data\Real
2008-02-14 00:05:58 0 dr------- C:\Documents and Settings\Guest\Favorites
2008-02-14 00:05:58 0 d-------- C:\Documents and Settings\Guest\Desktop
2008-02-14 00:05:58 0 d--hs---- C:\Documents and Settings\Guest\Cookies
2008-02-14 00:05:58 0 dr-h----- C:\Documents and Settings\Guest\Application Data
2008-02-14 00:05:58 0 d-------- C:\Documents and Settings\Guest\Application Data\Sun
2008-02-14 00:05:58 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-02-14 00:05:58 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities
2008-02-14 00:05:58 0 d-------- C:\Documents and Settings\Guest\Application Data\Google
2008-02-14 00:05:58 0 d-------- C:\Documents and Settings\Guest\Application Data\Corel
2008-02-14 00:05:57 0 d--h----- C:\Documents and Settings\Guest\Templates
2008-02-14 00:05:57 0 dr------- C:\Documents and Settings\Guest\Start Menu
2008-02-14 00:05:57 0 dr-h----- C:\Documents and Settings\Guest\SendTo
2008-02-14 00:05:57 0 dr-h----- C:\Documents and Settings\Guest\Recent
2008-02-14 00:05:57 0 d--h----- C:\Documents and Settings\Guest\PrintHood
2008-02-14 00:05:57 0 d--h----- C:\Documents and Settings\Guest\NetHood
2008-02-14 00:05:57 0 dr------- C:\Documents and Settings\Guest\My Documents
2008-02-14 00:05:57 0 d--h----- C:\Documents and Settings\Guest\Local Settings
2008-02-14 00:05:56 1048576 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2008-02-13 23:18:54 0 d-------- C:\Program Files\IVT Corporation
2008-02-13 23:18:46 0 --a------ C:\WINDOWS\system32\0
2008-02-13 23:18:46 32 --a------ C:\WINDOWS\0
2008-02-11 0027 0 d-------- C:\Program Files\SpywareBlaster
2008-02-10 21:35:16 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-10 13:46:31 0 d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-10 13:46:31 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-10 13:40:40 0 d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-10 13:39:56 0 d-------- C:\Program Files\Microsoft SDKs
2008-02-10 13:37:20 0 d-------- C:\Program Files\MSBuild
2008-02-10 13:37:07 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-02-10 13:36:56 0 d-------- C:\Program Files\Reference Assemblies
2008-02-10 13:28:47 0 d-------- C:\Program Files\MSXML 6.0
2008-02-10 13:15:28 0 d-------- C:\3ef7c5c1e4e1bcb394ca19e091441f
2008-02-10 13:14:10 0 d-------- C:\Program Files\Microsoft Silverlight
2008-02-10 12:40:25 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 23:13:09 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 23:13:09 3457 --a------ C:\WINDOWS\unins000.dat
2008-02-07 01:51:39 0 d-------- C:\Program Files\RogueRemover FREE
2008-02-05 21:13:30 5632 --a------ C:\WINDOWS\system32\msdtc32.dll <Not Verified; Microsoft Corporation; MSDTC32.DLL>
2008-02-05 21:13:30 56 --a------ C:\mscrypt.bat
2008-02-05 21:13:30 10240 --a------ C:\info.exe
2008-02-03 21:38:59 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-03 21:38:51 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 21:38:50 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\SUPERAntiSpyware.com
2008-02-03 21:27:23 2928 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 21:27:10 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 21:27:10 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-03 21:27:10 83456 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-02-03 21:27:10 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-03 21:27:10 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-02-03 21:27:10 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-03 21:27:10 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 15:45:13 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\TVU Networks
2008-02-03 15:45:13 0 d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-02-02 1647 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 16:10:46 274432 --a------ C:\WINDOWS\system32\libcurl.dll
2008-01-22 08:57:14 0 d-------- C:\Program Files\Lavasoft
2008-01-22 08:57:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 08:56:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-02-16 12:45:22 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\Azureus
2008-02-16 12:22:35 0 d-------- C:\Program Files\WinSCP
2008-02-16 12:14:46 0 d-------- C:\Program Files\GoogleAFE
2008-02-16 12:14:45 0 d-------- C:\Program Files\Google
2008-02-16 12:13:14 0 d-------- C:\Program Files\Digital Line Detect
2008-02-16 12:10:43 0 d-------- C:\Program Files\Azureus
2008-02-13 23:24:14 0 d-------- C:\Program Files\Winamp Remote
2008-02-13 23:22:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-08 22:19:20 0 d-------- C:\Program Files\Real
2008-02-07 01:57:37 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\Adobe
2008-02-05 21:13:30 136 --a------ C:\Documents and Settings\Vikram Palakodety\Application Data\odbcbase.ocx
2008-02-04 00:45:47 0 d-------- C:\Program Files\Common Files
2008-02-04 00:45:44 0 d-------- C:\Program Files\Dazzle
2008-02-03 11:23:24 0 d-------- C:\Program Files\Dell
2008-02-02 16:49:07 0 d-------- C:\Program Files\FLStudio4
2008-02-02 16:25:57 0 d-------- C:\Program Files\DivX
2008-02-02 16:21:57 0 d-------- C:\Program Files\Common Files\Corel
2008-01-16 23:41:03 7362 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-16 23:41:03 152 -r-hs---- C:\WINDOWS\system32\0ED3398088.sys
2008-01-16 23:40:53 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\Corel
2007-12-16 14:40:39 0 d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\SmartFTP
2007-12-16 13:33:10 0 d-------- C:\Program Files\Direct WAV MP3 Splitter
2007-12-16 01:21:10 0 d-------- C:\Program Files\Java
2007-12-03 20:33:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-03 20:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-03 20:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-03 20:33:16 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-11-29 17:30:28 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 17:28:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-11-29 17:28:24 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-11-28 16:52:32 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/29/2005 05:56 AM]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 06:33 AM]
"ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [09/20/2003 02:23 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/28/2006 08:25 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 06:00 AM C:\WINDOWS\system32\bthprops.cpl]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 04:22 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [02/11/2007 12:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/16/2006 12:54 AM]
"BtTray"="C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe" [09/10/2007 11:08 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [06/18/2003 12:00 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [01/07/2008 03:02 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/09/2007 10:17 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"PC2Me"="C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe" [02/12/2008 11:29 PM]
"Files2Phones"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2/21/2006 11:07:28 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msdtc32]
msdtc32.dll 02/05/2008 09:13 PM 5632 C:\WINDOWS\system32\msdtc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

*Newly Created Service* - WBKGJEXMGKCS



-- End of Deckard's System Scanner: finished at 2008-02-16 12:45:36 ------------

Also, attached is the log of Panda's scan.

Thanks much,
mahabore
Attached Files
File Type: txt Activescan.txt (15.1 KB, 0 views)
mahabore is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2008, 11:15 AM   #4 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2008, 02:09 PM   #5 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 8
OS: XP SP2


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
Here's the latest HijackThis log.The ComboFix log file is attached to this reply.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:00 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\system32\rundll32.exe
C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.1.0\Db_1\jdk\bin\java.exe
c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Documents and Settings\Vikram Palakodety\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {71DC761C-58BD-4f3d-99F7-7C1B54B5BBCB} - C:\WINDOWS\system32\crypt32r.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC2Me] C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe /auto
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: msdtc32 - C:\WINDOWS\SYSTEM32\msdtc32.dll
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: OracleCSService - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - C:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9287 bytes



ComboFix 08-02-17.2 - Vikram Palakodety 2008-02-16 15:52:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.509 [GMT -5:00]
Running from: C:\Documents and Settings\Vikram Palakodety\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\pxhelp200.sys
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Vikram Palakodety\Application Data\macromedia\Flash Player\#SharedObjects\VTRBPZLG\www.broadcaster.com
C:\Documents and Settings\Vikram Palakodety\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Vikram Palakodety\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\pxhelp200.sys
F:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupda
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NM
-------\LEGACY_NPF
-------\LEGACY_PXHELP200
-------\pxhelp200


((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-15 20:28 . 2008-02-15 20:28 <DIR> d-------- C:\Program Files\1stWORKS
2008-02-15 20:28 . 2003-02-28 17:26 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2008-02-14 00:06 . 2008-02-14 00:08 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\GTek
2008-02-14 00:05 . 2006-02-21 23:20 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Corel
2008-02-13 23:25 . 2008-02-13 23:47 1,885 --a------ C:\WINDOWS\system32\SHORTCUT.INI
2008-02-13 23:25 . 2008-02-13 23:51 180 --a------ C:\WINDOWS\system32\REMOTEDEVICE.INI
2008-02-13 23:24 . 2008-02-14 00:00 4,333 --a------ C:\WINDOWS\system32\LOCALSERVICE.INI
2008-02-13 23:24 . 2008-02-13 23:24 100 --a------ C:\WINDOWS\system32\LOCALDEVICE.INI
2008-02-13 23:19 . 2008-02-13 23:19 0 --a------ C:\WINDOWS\system32\BSPRINT.INI
2008-02-13 23:18 . 2008-02-13 23:18 <DIR> d-------- C:\Program Files\IVT Corporation
2008-02-13 23:18 . 2008-02-13 23:19 32 --a------ C:\WINDOWS\0
2008-02-13 23:18 . 2008-02-13 23:18 0 --a------ C:\WINDOWS\system32\0
2008-02-11 00:22 . 2008-02-11 00:22 <DIR> d-------- C:\Deckard
2008-02-11 00:06 . 2008-02-11 00:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-10 21:35 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-10 13:46 . 2008-02-10 13:46 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-10 13:46 . 2008-02-10 13:46 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-10 13:40 . 2008-02-10 13:46 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-10 13:39 . 2008-02-10 13:39 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-02-10 13:37 . 2008-02-10 13:37 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-10 13:37 . 2008-02-10 13:37 <DIR> d-------- C:\Program Files\MSBuild
2008-02-10 13:36 . 2008-02-10 13:36 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-10 13:36 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-10 13:28 . 2008-02-10 13:28 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-10 13:14 . 2008-02-16 12:18 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-10 12:40 . 2008-02-16 12:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-10 12:40 . 2008-02-16 11:22 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-10 12:40 . 2008-02-16 11:23 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-10 12:40 . 2008-02-16 11:23 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-07 23:13 . 2008-02-07 23:12 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 23:13 . 2008-02-07 23:13 3,457 --a------ C:\WINDOWS\unins000.dat
2008-02-07 01:51 . 2008-02-13 00:48 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-05 21:13 . 2008-02-15 08:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-05 21:13 . 2008-02-05 21:13 10,240 --a------ C:\info.exe
2008-02-05 21:13 . 2008-02-05 21:13 5,632 --a------ C:\WINDOWS\system32\msdtc32.dll
2008-02-05 21:13 . 2008-02-05 21:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 21:13 . 2008-02-05 21:13 56 --a------ C:\mscrypt.bat
2008-02-03 21:38 . 2008-02-16 12:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 21:38 . 2008-02-03 21:38 <DIR> d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\SUPERAntiSpyware.com
2008-02-03 21:38 . 2008-02-03 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-03 21:27 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 21:27 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 21:27 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 21:27 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 21:27 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-03 21:27 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 21:27 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 21:27 . 2008-02-07 01:59 2,928 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 15:45 . 2008-02-03 15:45 <DIR> d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\TVU Networks
2008-02-03 15:45 . 2008-02-03 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-02-02 16:06 . 2008-02-02 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 16:10 . 2008-01-30 16:10 274,432 --a------ C:\WINDOWS\system32\libcurl.dll
2008-01-22 08:57 . 2008-01-22 08:57 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-22 08:57 . 2008-01-22 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 08:56 . 2008-02-13 00:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 20:48 --------- d-----w C:\Documents and Settings\Vikram Palakodety\Application Data\Azureus
2008-02-16 17:22 --------- d-----w C:\Program Files\WinSCP
2008-02-16 17:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 17:14 --------- d-----w C:\Program Files\GoogleAFE
2008-02-16 17:14 --------- d-----w C:\Program Files\Google
2008-02-16 17:13 --------- d-----w C:\Program Files\Digital Line Detect
2008-02-16 17:10 --------- d-----w C:\Program Files\Azureus
2008-02-14 04:24 --------- d-----w C:\Program Files\Winamp Remote
2008-02-14 04:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-10 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-09 03:19 --------- d-----w C:\Program Files\Real
2008-02-08 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 05:45 --------- d-----w C:\Program Files\Dazzle
2008-02-03 16:23 --------- d-----w C:\Program Files\Dell
2008-02-02 21:49 --------- d-----w C:\Program Files\FLStudio4
2008-02-02 21:25 --------- d-----w C:\Program Files\DivX
2008-02-02 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-02 21:21 --------- d-----w C:\Program Files\Common Files\Corel
2008-01-17 04:40 --------- d-----w C:\Documents and Settings\Vikram Palakodety\Application Data\Corel
2008-01-08 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-01-02 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2006-07-29 19:02 49,624 ----a-w C:\Documents and Settings\Vikram Palakodety\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71DC761C-58BD-4f3d-99F7-7C1B54B5BBCB}]
2008-02-17 15:59 8704 --a------ C:\WINDOWS\system32\crypt32r.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 15:02 495616]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-09 22:17 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"PC2Me"="C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe" [2008-02-12 23:29 2434400]
"Files2Phones"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 05:56 761947]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 14:23 45056]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-28 20:25 180269]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-02-11 00:50 220160]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-16 00:54 155648]
"BtTray"="C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe" [2007-09-10 11:08 258134]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-02-21 23:07:28 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32]
crypt32r.dll 2008-02-17 15:59 8704 C:\WINDOWS\system32\crypt32r.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msdtc32]
msdtc32.dll 2008-02-05 21:13 5632 C:\WINDOWS\system32\msdtc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
"LoadAppInit_DLLs"=1 (0x1)

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-03 22:00]
R2 BlueSoleilCS;BlueSoleilCS;C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe [2007-09-14 09:44]
R2 LogWatch;Event Log Watch;C:\WINDOWS\LogWatNT.exe [2000-06-08 13:15]
R2 OracleCSService;OracleCSService;C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe service []
R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR []
R2 OracleServiceORCL;OracleServiceORCL;c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL []
R3 BsHelpCS;BsHelpCS;C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe [2007-08-17 15:58]
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2004-05-21 20:18]
S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys []
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys []
S3 CoachUsb;Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys []
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys []
S3 DSCVc;Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 OracleOraDb10g_home1SNMPPeerEncapsulator;OracleOraDb10g_home1SNMPPeerEncapsulator;C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE [2006-03-01 20:18]
S3 OracleOraDb10g_home1SNMPPeerMasterAgent;OracleOraDb10g_home1SNMPPeerMasterAgent;C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE [2006-03-01 20:18]
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys []
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\oracle\product\10.1.0\db_1\Bin\extjob.exe ORCL []

.
Contents of the 'Scheduled Tasks' folder
"2006-03-28 01:56:42 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 15:58:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\crypt32r.dll 8704 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\BsLangInDepRes.dll
-> C:\Program Files\1stWORKS\pc2me\BIN\HCAM.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\system32\rundll32.exe
C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.1.0\Db_1\jdk\bin\java.exe
c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
.
**************************************************************************
.
Completion time: 2008-02-17 16:02:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 21:02:50
.
2008-02-14 08:03:45 --- E O F ---
Attached Files
File Type: txt ComboFix.txt (15.2 KB, 1 views)
Last edited by amateur; 02-16-2008 at 10:05 PM. Reason: added combofix.txt
mahabore is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2008, 06:47 AM   #6 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 8
OS: XP SP2


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
Hi Amateur,

The pop ups have stopped. I don't see them anymore. Whoopeee!! But I guess there's more to do?? Let me know.

Thanks,
Vikram
mahabore is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2008, 07:15 AM   #7 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
Hi,

I am happy to hear that the popups stopped, but you're right; there is more to do.

Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath:

C:\WINDOWS\system32\BsLangInDepRes.dll


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

===========================

Open notepad (Start>All programs>accessories>notepad ). and copy/paste the text inside the quotebox below into it (It must be notepad, not wordpad, or it won't work):

Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/220475-constant-pop-ups-ie-smitfraud-c-coreservices.html#post1327371

KILLALL::

Collect::
C:\WINDOWS\system32\crypt32r.dll
C:\WINDOWS\SYSTEM32\msdtc32.dll

Suspect::
C:\WINDOWS\system32\BsLangInDepRes.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71DC761C-58BD-4f3d-99F7-7C1B54B5BBCB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E0E899AB-F487-11D5-8D29-0050BA6940E3}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msdtc32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.



Please post back the Jotti's scan results, Combofix.txt, and a fresh HijackThis log.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
Last edited by amateur; 02-17-2008 at 07:16 AM.
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2008, 09:34 PM   #8 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 8
OS: XP SP2


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
Jotti scan results:
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Additional Virustotal log:
File BsLangInDepRes.zip received on 02.18.2008 01:21:03 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)


Antivirus Version Last Update Result
AhnLab-V3 2008.2.16.10 2008.02.15 -
AntiVir 7.6.0.67 2008.02.15 -
Authentium 4.93.8 2008.02.17 -
Avast 4.7.1098.0 2008.02.17 -
AVG 7.5.0.516 2008.02.17 -
BitDefender 7.2 2008.02.18 -
CAT-QuickHeal None 2008.02.16 -
ClamAV 0.92.1 2008.02.18 -
DrWeb 4.44.0.09170 2008.02.18 -
eSafe 7.0.15.0 2008.02.17 -
eTrust-Vet 31.3.5541 2008.02.15 -
Ewido 4.0 2008.02.17 -
FileAdvisor 1 2008.02.18 -
Fortinet 3.14.0.0 2008.02.17 -
F-Prot 4.4.2.54 2008.02.17 -
F-Secure 6.70.13260.0 2008.02.17 -
Ikarus T3.1.1.20 2008.02.17 -
Kaspersky 7.0.0.125 2008.02.18 -
McAfee 5231 2008.02.15 -
Microsoft 1.3204 2008.02.18 -
NOD32v2 2881 2008.02.17 -
Norman 5.80.02 2008.02.15 -
Panda 9.0.0.4 2008.02.17 -
Prevx1 V2 2008.02.18 -
Rising 20.31.50.00 2008.02.16 -
Sophos 4.26.0 2008.02.17 -
Sunbelt 2.2.907.0 2008.02.16 -
Symantec 10 2008.02.18 -
TheHacker 6.2.9.222 2008.02.16 -
VBA32 3.12.6.1 2008.02.17 -
VirusBuster 4.3.26:9 2008.02.17 -
Webwasher-Gateway 6.6.2 2008.02.15 -


Additional information
======================
File size: 9222042 bytes
MD5: 91ac58dfb8fb1b23f5b0b4a2961639b0
SHA1: c9d5bfb6e947ad4f268d9bac90cf0b7d377b35a9


Combofix log:
ComboFix 08-02-17.2 - Vikram Palakodety 2008-02-18 19:39:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.715 [GMT -5:00]
Running from: C:\Documents and Settings\Vikram Palakodety\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vikram Palakodety\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\crypt32r.dll
C:\WINDOWS\SYSTEM32\msdtc32.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 06:15 . 2008-02-18 06:18 <DIR> d-------- C:\Program Files\DLDIrc
2008-02-15 20:28 . 2008-02-15 20:28 <DIR> d-------- C:\Program Files\1stWORKS
2008-02-15 20:28 . 2003-02-28 17:26 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2008-02-14 00:06 . 2008-02-14 00:08 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\GTek
2008-02-14 00:05 . 2006-02-21 23:20 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Corel
2008-02-13 23:25 . 2008-02-18 11:13 3,178 --a------ C:\WINDOWS\system32\SHORTCUT.INI
2008-02-13 23:25 . 2008-02-18 11:13 277 --a------ C:\WINDOWS\system32\REMOTEDEVICE.INI
2008-02-13 23:24 . 2008-02-18 19:45 4,334 --a------ C:\WINDOWS\system32\LOCALSERVICE.INI
2008-02-13 23:24 . 2008-02-18 11:10 100 --a------ C:\WINDOWS\system32\LOCALDEVICE.INI
2008-02-13 23:19 . 2008-02-13 23:19 0 --a------ C:\WINDOWS\system32\BSPRINT.INI
2008-02-13 23:18 . 2008-02-13 23:18 <DIR> d-------- C:\Program Files\IVT Corporation
2008-02-13 23:18 . 2008-02-13 23:19 32 --a------ C:\WINDOWS\0
2008-02-13 23:18 . 2008-02-13 23:18 0 --a------ C:\WINDOWS\system32\0
2008-02-11 00:22 . 2008-02-11 00:22 <DIR> d-------- C:\Deckard
2008-02-11 00:06 . 2008-02-11 00:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-10 21:35 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-10 13:46 . 2008-02-10 13:46 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-10 13:46 . 2008-02-10 13:46 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-10 13:40 . 2008-02-10 13:46 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-10 13:39 . 2008-02-10 13:39 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-02-10 13:37 . 2008-02-10 13:37 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-10 13:37 . 2008-02-10 13:37 <DIR> d-------- C:\Program Files\MSBuild
2008-02-10 13:36 . 2008-02-10 13:36 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-10 13:36 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-10 13:28 . 2008-02-10 13:28 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-10 13:14 . 2008-02-16 12:18 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-10 12:40 . 2008-02-16 12:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-10 12:40 . 2008-02-16 11:22 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-10 12:40 . 2008-02-16 11:23 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-10 12:40 . 2008-02-16 11:23 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-07 23:13 . 2008-02-07 23:12 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 23:13 . 2008-02-07 23:13 3,457 --a------ C:\WINDOWS\unins000.dat
2008-02-07 01:51 . 2008-02-13 00:48 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-05 21:13 . 2008-02-18 04:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-05 21:13 . 2008-02-05 21:13 10,240 --a------ C:\info.exe
2008-02-05 21:13 . 2008-02-05 21:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 21:13 . 2008-02-05 21:13 56 --a------ C:\mscrypt.bat
2008-02-03 21:38 . 2008-02-16 12:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 21:38 . 2008-02-03 21:38 <DIR> d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\SUPERAntiSpyware.com
2008-02-03 21:38 . 2008-02-03 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-03 21:27 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 21:27 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 21:27 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 21:27 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 21:27 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-03 21:27 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 21:27 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 21:27 . 2008-02-07 01:59 2,928 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 15:45 . 2008-02-03 15:45 <DIR> d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\TVU Networks
2008-02-03 15:45 . 2008-02-03 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-02-02 16:06 . 2008-02-02 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 16:10 . 2008-01-30 16:10 274,432 --a------ C:\WINDOWS\system32\libcurl.dll
2008-01-22 08:57 . 2008-01-22 08:57 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-22 08:57 . 2008-01-22 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 08:56 . 2008-02-13 00:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 00:35 --------- d-----w C:\Documents and Settings\Vikram Palakodety\Application Data\Azureus
2008-02-18 15:25 --------- d-----w C:\Program Files\Winamp
2008-02-17 20:59 --------- d-----w C:\Program Files\Winamp Remote
2008-02-16 17:22 --------- d-----w C:\Program Files\WinSCP
2008-02-16 17:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 17:14 --------- d-----w C:\Program Files\GoogleAFE
2008-02-16 17:14 --------- d-----w C:\Program Files\Google
2008-02-16 17:13 --------- d-----w C:\Program Files\Digital Line Detect
2008-02-16 17:10 --------- d-----w C:\Program Files\Azureus
2008-02-14 04:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-10 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-09 03:19 --------- d-----w C:\Program Files\Real
2008-02-08 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 05:45 --------- d-----w C:\Program Files\Dazzle
2008-02-03 16:23 --------- d-----w C:\Program Files\Dell
2008-02-02 21:49 --------- d-----w C:\Program Files\FLStudio4
2008-02-02 21:25 --------- d-----w C:\Program Files\DivX
2008-02-02 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-02 21:21 --------- d-----w C:\Program Files\Common Files\Corel
2008-01-17 04:40 --------- d-----w C:\Documents and Settings\Vikram Palakodety\Application Data\Corel
2008-01-08 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-01-02 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2006-07-29 19:02 49,624 ----a-w C:\Documents and Settings\Vikram Palakodety\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71DC761C-58BD-4f3d-99F7-7C1B54B5BBCB}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 15:02 495616]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-09 22:17 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"PC2Me"="C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe" [2008-02-12 23:29 2434400]
"Files2Phones"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 05:56 761947]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 14:23 45056]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-28 20:25 180269]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-02-11 00:50 220160]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-16 00:54 155648]
"BtTray"="C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe" [2007-09-10 11:08 258134]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-02-21 23:07:28 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msdtc32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
"LoadAppInit_DLLs"=1 (0x1)

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-03 22:00]
R2 BlueSoleilCS;BlueSoleilCS;C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe [2007-09-14 09:44]
R2 LogWatch;Event Log Watch;C:\WINDOWS\LogWatNT.exe [2000-06-08 13:15]
R2 OracleCSService;OracleCSService;C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe service []
R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR []
R2 OracleServiceORCL;OracleServiceORCL;c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL []
R3 BsHelpCS;BsHelpCS;C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe [2007-08-17 15:58]
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2004-05-21 20:18]
S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys []
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys []
S3 CoachUsb;Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys []
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys []
S3 DSCVc;Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 OracleOraDb10g_home1SNMPPeerEncapsulator;OracleOraDb10g_home1SNMPPeerEncapsulator;C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE [2006-03-01 20:18]
S3 OracleOraDb10g_home1SNMPPeerMasterAgent;OracleOraDb10g_home1SNMPPeerMasterAgent;C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE [2006-03-01 20:18]
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys []
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\oracle\product\10.1.0\db_1\Bin\extjob.exe ORCL []

.
Contents of the 'Scheduled Tasks' folder
"2006-03-28 01:56:42 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 19:45:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\BsLangInDepRes.dll
-> C:\Program Files\1stWORKS\pc2me\BIN\HCAM.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\system32\rundll32.exe
C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.1.0\Db_1\jdk\bin\java.exe
c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
.
**************************************************************************
.
Completion time: 2008-02-18 19:49:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-19 00:49:47
ComboFix2.txt 2008-02-17 21:02:54
.
2008-02-14 08:03:45 --- E O F ---


New HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:53 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\system32\rundll32.exe
C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.1.0\Db_1\jdk\bin\java.exe
c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe
C:\WINDOWS\explorer.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Vikram Palakodety\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC2Me] C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe /auto
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: OracleCSService - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - C:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8826 bytes
mahabore is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-18-2008, 08:10 AM   #9 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
Hi,

I see that you are using Azureus, which is a p2p file sharing program. I would like to warn you that the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. Also by default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft.
I recommend very strongly that you remove it from your system via Add/Remove Programs in Control Panel.

=========================

Open notepad (Start>All programs>accessories>notepad ). and copy/paste the text in the quotebox below into it (It must be notepad, not wordpad, or it won't work):

Code:
KILLALL::

File::
C:\info.exe
C:\mscrypt.bat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msdtc32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=========================

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop in txt format.

Copy and paste that information from Kapersky in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans for no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Or use Firefox with IE-Tab plugin

=======================

Please post back the Kaspersky report, latest combofix.txt and a fresh HijackThis log. Also, let me know how the system is running now.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-18-2008, 09:24 PM   #10 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 8
OS: XP SP2


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
Hi,

I have uninstalled Azureus as suggested. Attached are the logs for your review:

Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 19, 2008 7:50:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 529921
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 104788
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:31:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\Desktop\[4]-Submit_2008-02-18@19.39.zip/msdtc32.dll Infected: Trojan-Downloader.Win32.Small.hoa skipped
C:\Documents and Settings\Vikram Palakodety\Desktop\[4]-Submit_2008-02-18@19.39.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Vikram Palakodety\Local Settings\Application Data\1stWorks\pc2me\LOG\ConnLog-2008-02-19.txt Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\Local Settings\Application Data\1stWorks\pc2me\USR\NET.HCD Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\Local Settings\History\History.IE5\MSHist012008021920080220\index.dat Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Vikram Palakodety\ntuser.dat.LOG Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\cdata\localhost\local.ocr Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\css\init\mahabore.log Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\css\log\ocssd0.log Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\database\hc_orcl.dat Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\NETWORK\log\listener.log Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\oc4j\j2ee\isqlplus\application-deployments\isqlplus\application.log Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\oc4j\j2ee\isqlplus\application-deployments\isqlplushelp\application.log Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\oc4j\j2ee\isqlplus\log\global-application.log Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\oc4j\j2ee\isqlplus\log\http-web-access.log Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\oc4j\j2ee\isqlplus\log\rmi.log Object is locked skipped
C:\Oracle\product\10.1.0\Db_1\oc4j\j2ee\isqlplus\log\server.log Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\CONTROL01.CTL Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\CONTROL02.CTL Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\CONTROL03.CTL Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\EXAMPLE01.DBF Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\REDO01.LOG Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\REDO02.LOG Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\REDO03.LOG Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\SYSAUX01.DBF Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\SYSTEM01.DBF Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\TEMP01.DBF Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\UNDOTBS01.DBF Object is locked skipped
C:\Oracle\product\10.1.0\oradata\orcl\USERS01.DBF Object is locked skipped
C:\QooBox\Quarantine\catchme2008-02-17_155821.38.zip/pxhelp200.sys Infected: Rootkit.Win32.Agent.zl skipped
C:\QooBox\Quarantine\catchme2008-02-17_155821.38.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{EF70F4E3-5464-4C2C-8CE9-5134F4438951}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\hsperfdata_SYSTEM\120 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\change.log Object is locked skipped

Scan process completed.


Combofix:ComboFix 08-02-17.2 - Vikram Palakodety 2008-02-19 16:26:36.3 - NTFSx86

Running from: C:\Documents and Settings\Vikram Palakodety\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vikram Palakodety\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\info.exe
C:\mscrypt.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\info.exe
C:\mscrypt.bat

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-19 15:19 . 2008-02-19 15:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-19 15:19 . 2008-02-19 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-19 02:14 . 2008-02-19 02:14 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-19 01:57 . 2008-02-19 01:57 <DIR> d-------- C:\Program Files\ZSoft
2008-02-19 00:44 . 2008-02-19 00:49 <DIR> d-------- C:\Program Files\Picasa2
2008-02-18 06:15 . 2008-02-18 06:18 <DIR> d-------- C:\Program Files\DLDIrc
2008-02-15 20:28 . 2008-02-15 20:28 <DIR> d-------- C:\Program Files\1stWORKS
2008-02-15 20:28 . 2003-02-28 17:26 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2008-02-14 00:06 . 2008-02-14 00:08 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\GTek
2008-02-14 00:05 . 2006-02-21 23:20 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Corel
2008-02-13 23:25 . 2008-02-18 11:13 3,178 --a------ C:\WINDOWS\system32\SHORTCUT.INI
2008-02-13 23:25 . 2008-02-18 11:13 277 --a------ C:\WINDOWS\system32\REMOTEDEVICE.INI
2008-02-13 23:24 . 2008-02-19 16:32 4,334 --a------ C:\WINDOWS\system32\LOCALSERVICE.INI
2008-02-13 23:24 . 2008-02-18 11:10 100 --a------ C:\WINDOWS\system32\LOCALDEVICE.INI
2008-02-13 23:19 . 2008-02-13 23:19 0 --a------ C:\WINDOWS\system32\BSPRINT.INI
2008-02-13 23:18 . 2008-02-13 23:18 <DIR> d-------- C:\Program Files\IVT Corporation
2008-02-13 23:18 . 2008-02-13 23:19 32 --a------ C:\WINDOWS\0
2008-02-13 23:18 . 2008-02-13 23:18 0 --a------ C:\WINDOWS\system32\0
2008-02-11 00:22 . 2008-02-11 00:22 <DIR> d-------- C:\Deckard
2008-02-11 00:06 . 2008-02-11 00:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-10 21:35 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-10 13:46 . 2008-02-10 13:46 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-10 13:46 . 2008-02-10 13:46 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-10 13:40 . 2008-02-10 13:46 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-10 13:39 . 2008-02-10 13:39 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-02-10 13:37 . 2008-02-10 13:37 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-10 13:37 . 2008-02-10 13:37 <DIR> d-------- C:\Program Files\MSBuild
2008-02-10 13:36 . 2008-02-10 13:36 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-10 13:36 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-10 13:28 . 2008-02-10 13:28 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-10 13:14 . 2008-02-16 12:18 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-10 12:40 . 2008-02-16 12:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-10 12:40 . 2008-02-16 11:22 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-10 12:40 . 2008-02-16 11:23 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-10 12:40 . 2008-02-16 11:23 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-07 23:13 . 2008-02-07 23:12 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 23:13 . 2008-02-07 23:13 3,457 --a------ C:\WINDOWS\unins000.dat
2008-02-07 01:51 . 2008-02-13 00:48 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-03 21:38 . 2008-02-16 12:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 21:38 . 2008-02-03 21:38 <DIR> d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\SUPERAntiSpyware.com
2008-02-03 21:38 . 2008-02-03 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-03 21:27 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 21:27 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 21:27 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 21:27 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 21:27 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-03 21:27 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 21:27 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 21:27 . 2008-02-07 01:59 2,928 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 15:45 . 2008-02-03 15:45 <DIR> d-------- C:\Documents and Settings\Vikram Palakodety\Application Data\TVU Networks
2008-02-03 15:45 . 2008-02-03 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-02-02 16:06 . 2008-02-02 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 16:10 . 2008-01-30 16:10 274,432 --a------ C:\WINDOWS\system32\libcurl.dll
2008-01-22 08:57 . 2008-01-22 08:57 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-22 08:57 . 2008-01-22 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 08:56 . 2008-02-13 00:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 20:22 --------- d-----w C:\Program Files\Azureus
2008-02-19 19:44 --------- d-----w C:\Documents and Settings\Vikram Palakodety\Application Data\Azureus
2008-02-19 07:01 --------- d-----w C:\Program Files\Dell
2008-02-19 00:46 --------- d-----w C:\Program Files\Winamp Remote
2008-02-18 15:25 --------- d-----w C:\Program Files\Winamp
2008-02-16 17:22 --------- d-----w C:\Program Files\WinSCP
2008-02-16 17:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 17:14 --------- d-----w C:\Program Files\GoogleAFE
2008-02-16 17:14 --------- d-----w C:\Program Files\Google
2008-02-16 17:13 --------- d-----w C:\Program Files\Digital Line Detect
2008-02-14 04:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-10 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-09 03:19 --------- d-----w C:\Program Files\Real
2008-02-08 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 05:45 --------- d-----w C:\Program Files\Dazzle
2008-02-02 21:49 --------- d-----w C:\Program Files\FLStudio4
2008-02-02 21:25 --------- d-----w C:\Program Files\DivX
2008-02-02 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-02 21:21 --------- d-----w C:\Program Files\Common Files\Corel
2008-01-17 04:40 --------- d-----w C:\Documents and Settings\Vikram Palakodety\Application Data\Corel
2008-01-08 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-01-02 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2006-07-29 19:02 49,624 ----a-w C:\Documents and Settings\Vikram Palakodety\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 15:02 495616]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"PC2Me"="C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe" [2008-02-12 23:29 2434400]
"Files2Phones"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 05:56 761947]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 14:23 45056]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-28 20:25 180269]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-02-11 00:50 220160]
"BtTray"="C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe" [2007-09-10 11:08 258134]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-02-21 23:07:28 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
"LoadAppInit_DLLs"=1 (0x1)

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-03 22:00]
R2 BlueSoleilCS;BlueSoleilCS;C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe [2007-09-14 09:44]
R2 LogWatch;Event Log Watch;C:\WINDOWS\LogWatNT.exe [2000-06-08 13:15]
R2 OracleCSService;OracleCSService;C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe service []
R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR []
R2 OracleServiceORCL;OracleServiceORCL;c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL []
R3 BsHelpCS;BsHelpCS;C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe [2007-08-17 15:58]
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2004-05-21 20:18]
S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys []
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys []
S3 CoachUsb;Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys []
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys []
S3 DSCVc;Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 OracleOraDb10g_home1SNMPPeerEncapsulator;OracleOraDb10g_home1SNMPPeerEncapsulator;C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE [2006-03-01 20:18]
S3 OracleOraDb10g_home1SNMPPeerMasterAgent;OracleOraDb10g_home1SNMPPeerMasterAgent;C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE [2006-03-01 20:18]
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys []
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\oracle\product\10.1.0\db_1\Bin\extjob.exe ORCL []

.
Contents of the 'Scheduled Tasks' folder
"2006-03-28 01:56:42 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 16:33:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\BsLangInDepRes.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\system32\rundll32.exe
C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.1.0\Db_1\jdk\bin\java.exe
c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
.
**************************************************************************
.
Completion time: 2008-02-19 16:37:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-19 21:37:35
ComboFix2.txt 2008-02-19 00:49:51
ComboFix3.txt 2008-02-17 21:02:54
.
2008-02-14 08:03:45 --- E O F ---


HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:50 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\system32\rundll32.exe
C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.1.0\Db_1\jdk\bin\java.exe
c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe
C:\WINDOWS\explorer.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Vikram Palakodety\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC2Me] C:\Program Files\1stWORKS\pc2me\BIN\pc2me.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: OracleCSService - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - C:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8882 bytes

AS mentioned before the pop ups have completely stopped and I am experiencing an overall improvement in system performance. Its been two days since the cleanup and I'm keeping my fingers crossed. Also, any suggestions for a good firewall, anti-virus would be welcome. Right now I have windows firewall and some anti spyware around(Spyboy,SuperAntispyware etc).

Thanks,
Mahabore
mahabore is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-18-2008, 09:41 PM   #11 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
Quote:
I have uninstalled Azureus as suggested.
Good. You can also delete this folder now:

C:\Program Files\Azureus

Quote:
AS mentioned before the pop ups have completely stopped and I am experiencing an overall improvement in system performance. Its been two days since the cleanup and I'm keeping my fingers crossed. Also, any suggestions for a good firewall, anti-virus would be welcome. Right now I have windows firewall and some anti spyware around(Spyboy,SuperAntispyware etc).
Glad to hear that. The logs are clean and you'll find below some information and tips which would also answer your query about the antivirus and firewall.

If you have no further issues, you're all set to go. The logs are clean.
  • Click Start then Run
  • Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /



    This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

Here are some steps to make your surfing more secure in future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.

If you haven't got an antivirus, you can download and install one of the following ones wh;ich are free for personal use: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

AVG Free here
AntiVir here
Avast here

It is essential to keep the anti-virus program fully updated.

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site http://windowsupdate.microsoft.com/ to get the critical updates.

If you are running Microsoft, or any portion thereof, go to the Microsoft's Office Update site http://office.microsoft.com/officeup....aspx?lc=en-us and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster A tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial49.html
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet. A tutorial on Firewalls and a listing of some available ones can be found here:
http://forum.malwareremoval.com/viewtopic.php?p=56#56
http://www.bleepingcomputer.com/forums/tutorial60.html

Test your firewall here to make sure that it's working properly

Ccleaner is a useful utility to clean the temporary files and cookies on a regular basis. Tutorial for CCleaner will explain how to use it. Note: Don't use the Registry (formerly Issues) block as it deals with the registry and can be dangerous.

But above all, keep all your software UP-TO-DATE at all time!!

A colleague of ours has excellent information and tips on the prevention of malware here and more on improving speed/system performance after malware removal here .

If you want to fight back the Malware Writers, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing!
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-20-2008, 06:08 PM   #12 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 8
OS: XP SP2


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
Hi,

Thanks for the good news!! I've really learnt my lesson and thanks for the surfing tips and security procedures. I'll try to set up the softwares listed and work on your advice. You folks have been great and the support has been fabulous.

Once again thanks a million for you help.

cheers,
Mahabore
mahabore is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-20-2008, 06:14 PM   #13 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Constant Pop Ups on IE - Smitfraud c.coreservices
You're welcome. Glad we could help. Stay safe!
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:26 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85