Serious Malware issue

[richiejain]

Hey guys , I got stuck up with a big time trojan which could not be detected by Mcafee & spyware doctor..

It was too late by the time, I wanted to resolve the issue, the os was not responding with lots of memory being eaten up and unwanted popups of explorer crashing.

The start bar & the desktop was never seen, even after trying to close explorer.exe and starting a new process using ctrl alt del

Called Acer helpline and they told me i could reformat and resintall windows by using one of their system restore feature called as Acer empowering technology and they promised me the virus would be gone.

But i informed them that as I have only one Single drive whih is not partitioned, wouldnt the virus or trojan affect the restore file to which they replied negatively.

Anyways after the format and reinstall of winxp home edition, everything looked fine until i noticed none of the antivirus sites were opening up on Chrome as well as Internet explorer.

Run Malwarebites and found a trojan which was deleted Trojan.BHO

This is the log of the scan
_____________

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/2/2009 4:05:14 PM
mbam-log-2009-07-02 (16-05-14).txt

Scan type: Quick Scan
Objects scanned: 83050
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\All Users\Application Data\Partner\partner.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{86676e13-d6d8-4652-9fcf-f2047f1fb000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\kt_bho.KettleBho (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\Partner\partner.dll (Trojan.BHO) -> Delete on reboot.
__________________________

Here i am pasting the DDS log

_____________________________


DDS (Ver_09-06-26.01) - NTFSx86
Run by Yatish at 18:31:03.40 on Thu 07/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.486 [GMT 5.5:30]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Yatish\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yatish\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yatish\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Yatish\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yatish\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yatish\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mDefault_Page_URL = hxxp://global.acer.com
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6172\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6172\SiteAdv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\yatish\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SiteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {AA2F2604-DCA6-420C-BC90-659D50DBED79} = 125.22.47.125,202.56.250.5
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6172\SiteAdv.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-7-21 201288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-8-16 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-7-25 144704]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2008-5-5 254976]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-7-25 695624]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-7-24 79304]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-7-21 35240]
R3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-7-21 40488]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S2 llfhwuy;Support Time;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-7-25 33800]
S3 Partner Service;Partner Service;c:\documents and settings\all users\application data\partner\partner.exe [2009-7-3 110576]

=============== Created Last 30 ================

2009-07-02 18:03 <DIR> --d----- c:\program files\Trend Micro
2009-07-02 16:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-02 16:03 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-02 16:03 <DIR> --d----- c:\docume~1\yatish\applic~1\SUPERAntiSpyware.com
2009-07-02 16:02 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-02 15:57 <DIR> --d----- c:\docume~1\yatish\applic~1\Malwarebytes
2009-07-02 15:56 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 15:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-02 15:56 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-02 15:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 14:44 <DIR> --d----- c:\program files\i.c.s SMS
2009-07-02 14:40 164,352 a------- c:\windows\system32\unrar.dll
2009-07-02 14:40 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-07-02 13:57 <DIR> --d----- c:\program files\uTorrent
2009-07-02 13:57 <DIR> --d----- c:\docume~1\yatish\applic~1\uTorrent

==================== Find3M ====================

2008-04-15 08:30 90,520 a--shr-- c:\windows\system32\jktbyy.dll
2008-08-15 23:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-07-03 01:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070220090703\index.dat
2009-07-03 01:51 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-07-03 01:51 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-07-03 01:51 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:31:48.26 ===============

[Ried]

Hello richiejain,

If you reformat and reinstall, the malware should be cleared. Did you backup some of your files to a removable drive and put them back on after the reinstall?

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

=================================================

Disable your AntiVirus and AntiSpyware applications, as they will interfere with our tools

Open McAfee Security Centre

• Under Common Tasks click on Home
• Click Computer Files
• Click Configure
• Make sure the following are disabled by ticking the "Off" button.
  

  Virus protection
  Spyware protection
  System Guards Protection
  Script Scanning Protection (you may have to scroll down to see it)

• Next, select never for "When to re-enable real time scanning"
• and click OK.

=================================================


Double click on combofix.exe & follow the prompts.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[richiejain]

Hey Did exactly as said..

here is the log


ComboFix 09-07-02.02 - Yatish 07/03/2009 14:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.707 [GMT 5.5:30]
Running from: c:\documents and settings\Yatish\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Yatish\LOCALS~1\Temp\install_flash_player.exe
c:\windows\Installer\35fc9e.msi

.
((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-02 20:39 . 2009-07-02 11:16 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Google
2009-07-02 20:36 . 2007-04-13 06:21 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE
2009-07-02 20:36 . 2006-03-30 07:36 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe
2009-07-02 20:36 . 2006-03-23 06:32 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe
2009-07-02 20:36 . 2005-12-09 03:42 16384 ----a-w- c:\windows\system32\ClearEvent.exe
2009-07-02 20:36 . 2004-11-03 03:36 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll
2009-07-02 20:35 . 2009-07-02 20:35 125 ----a-w- c:\windows\xUninstall.bat
2009-07-02 20:35 . 2009-07-02 20:35 -------- d-----w- c:\windows\JMCR_DIR
2009-07-02 20:35 . 2008-05-14 10:53 110080 ----a-w- c:\windows\system32\JmCrIcon.dll
2009-07-02 20:35 . 2009-07-02 20:35 129 ----a-w- c:\documents and settings\Yatish\Local Settings\Application Data\fusioncache.dat
2009-07-02 20:35 . 2009-07-02 13:12 60592 ----a-w- c:\documents and settings\Yatish\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\program files\Common Files\CrystalEye
2009-07-02 20:33 . 2008-06-13 12:13 4342912 ----a-w- c:\windows\system32\acer.exe
2009-07-02 20:33 . 2007-04-19 08:11 83554304 ----a-w- c:\windows\system32\acer.scr
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\program files\Acer Incorporated
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\windows\ACER
2009-07-02 20:32 . 2009-07-02 20:32 110576 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.exe
2009-07-02 20:32 . 2009-07-02 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Partner
2009-07-02 20:31 . 2009-07-02 08:40 -------- d-----w- c:\program files\Google
2009-07-02 20:30 . 2009-07-02 20:30 -------- d-----w- c:\program files\Launch Manager
2009-07-02 20:23 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-07-02 20:23 . 2008-04-15 03:00 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-07-02 20:23 . 2008-04-15 03:00 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-07-02 20:23 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-07-02 20:22 . 2009-07-02 19:31 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InstallShield
2009-07-02 20:22 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-07-02 20:22 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-07-02 20:22 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2009-07-02 20:21 . 2008-08-15 18:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2009-07-02 20:17 . 2008-04-15 03:00 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-07-02 20:17 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-02 20:17 . 2009-07-02 20:17 -------- d-----w- c:\windows\WebCam
2009-07-02 20:17 . 2008-04-14 00:12 53760 ----a-w- c:\windows\vfwwdm32.dll
2009-07-02 20:17 . 2008-04-15 03:00 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-07-02 19:36 . 2009-07-02 19:36 -------- d---a-w- c:\windows\AcerStore
2009-07-02 12:33 . 2009-07-02 12:33 -------- d-----w- c:\program files\Trend Micro
2009-07-02 10:33 . 2009-07-03 08:19 117760 ----a-w- c:\documents and settings\Yatish\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\documents and settings\Yatish\Application Data\SUPERAntiSpyware.com
2009-07-02 10:32 . 2009-07-02 10:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-02 10:27 . 2009-07-02 10:27 -------- d-----w- c:\documents and settings\Yatish\Application Data\Malwarebytes
2009-07-02 10:26 . 2009-06-17 05:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 10:26 . 2009-07-02 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 10:26 . 2009-06-17 05:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 10:26 . 2009-07-02 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 09:15 . 2009-07-02 09:15 -------- d-----w- c:\documents and settings\Yatish\Application Data\Media Player Classic
2009-07-02 09:14 . 2003-12-11 05:45 44544 ----a-w- c:\windows\system32\MSXML4a.dll
2009-07-02 09:14 . 2001-08-17 17:13 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-07-02 09:14 . 2006-06-20 10:36 237056 ----a-w- c:\windows\system32\winhttp5.dll
2009-07-02 09:14 . 1998-06-18 07:00 77824 ----a-w- c:\windows\system32\MSBIND.DLL
2009-07-02 09:14 . 1998-06-08 18:30 509440 ----a-w- c:\windows\system32\MSDE.DLL
2009-07-02 09:14 . 2000-07-15 07:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-07-02 09:14 . 2009-07-02 09:14 -------- d-----w- c:\program files\i.c.s SMS
2009-07-02 08:44 . 2009-07-02 08:44 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Adobe
2009-07-02 08:27 . 2009-07-02 08:27 -------- d-----w- c:\program files\uTorrent
2009-07-02 08:27 . 2009-07-03 08:19 -------- d-----w- c:\documents and settings\Yatish\Application Data\uTorrent
2009-07-02 08:17 . 2009-07-02 08:22 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Temp
2009-07-02 08:14 . 2009-07-02 08:16 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 20:35 . 2008-08-15 18:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-02 20:26 . 2009-07-02 20:24 -------- d-----w- c:\documents and settings\Yatish\Application Data\SiteAdvisor
2009-07-02 19:36 . 2004-09-21 21:28 3 ----a-w- c:\windows\HotFix.bat
2009-07-02 19:36 . 2004-06-26 00:13 139 ----a-w- c:\windows\HotFix2.bat
2009-07-02 19:33 . 2008-08-15 18:11 -------- d-----w- c:\program files\SiteAdvisor
2009-07-02 19:33 . 2008-08-15 17:59 -------- d-----w- c:\program files\Realtek
2009-07-02 19:33 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works
2009-07-02 19:33 . 2008-08-15 18:15 -------- d-----w- c:\program files\Microsoft.NET
2009-07-02 19:33 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Office Suite Activation Assistant
2009-07-02 19:32 . 2008-08-15 18:07 -------- d-----w- c:\program files\McAfee.com
2009-07-02 19:32 . 2008-08-15 17:37 -------- d-----w- c:\program files\microsoft frontpage
2009-07-02 19:32 . 2008-08-15 18:12 -------- d-----w- c:\program files\InterVideo
2009-07-02 19:32 . 2008-08-15 17:41 -------- d-----w- c:\program files\Intel
2009-07-02 19:32 . 2008-08-15 18:07 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-02 19:32 . 2008-08-15 18:12 -------- d-----w- c:\program files\Common Files\InterVideo
2009-07-02 19:32 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-02 19:32 . 2008-08-15 17:58 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-02 19:32 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-02 19:32 . 2008-08-15 18:00 -------- d-----w- c:\program files\Atheros
2009-07-02 19:31 . 2009-07-02 20:24 -------- d-----w- c:\documents and settings\Yatish\Application Data\InstallShield
2009-07-02 19:31 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-02 19:31 . 2008-08-15 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-02 19:31 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-02 19:31 . 2008-08-15 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros
2009-07-02 09:10 . 2009-07-02 09:10 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-02 08:40 . 2008-08-15 18:09 -------- d-----w- c:\program files\McAfee
2009-07-02 08:12 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2008-04-15 03:00 . 2008-04-15 03:00 90520 --sha-r- c:\windows\system32\jktbyy.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"Google Update"="c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-02 133104]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-02 288048]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-02 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-5 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 06:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5129:TCP"= 5129:TCP:ubbyrbx

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 9:31 PM 254976]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S2 llfhwuy;Support Time;c:\windows\system32\svchost.exe -k netsvcs [4/15/2008 8:30 AM 14336]
S3 Partner Service;Partner Service;c:\documents and settings\All Users\Application Data\Partner\partner.exe [7/3/2009 2:02 AM 110576]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
llfhwuy
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4122549485-511491495-4049359616-1006Core.job
- c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 08:16]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4122549485-511491495-4049359616-1006UA.job
- c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 08:16]

2008-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 08:02]

2008-08-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 08:02]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-M3000Mnt - M3000Rmv.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {AA2F2604-DCA6-420C-BC90-659D50DBED79} = 125.22.47.125,202.56.250.5
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 14:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\llfhwuy]
"ServiceDll"="c:\windows\system32\jktbyy.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-03 14:06
ComboFix-quarantined-files.txt 2009-07-03 08:36

Pre-Run: 146,833,719,296 bytes free
Post-Run: 146,799,230,976 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

213

[Ried]

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/391048-serious-malware-issue.html#post2220223

Collect::
c:\windows\system32\jktbyy.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5129:TCP"=-

NetSvc::
llfhwuy

Driver::
llfhwuy

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

[richiejain]

ComboFix 09-07-02.02 - Yatish 07/04/2009 15:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.452 [GMT 5.5:30]
Running from: c:\combofix\ComboFix.exe
Command switches used :: c:\combofix\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-02 20:39 . 2009-07-02 11:16 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Google
2009-07-02 20:36 . 2007-04-13 06:21 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE
2009-07-02 20:36 . 2006-03-30 07:36 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe
2009-07-02 20:36 . 2006-03-23 06:32 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe
2009-07-02 20:36 . 2005-12-09 03:42 16384 ----a-w- c:\windows\system32\ClearEvent.exe
2009-07-02 20:36 . 2004-11-03 03:36 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll
2009-07-02 20:35 . 2009-07-02 20:35 125 ----a-w- c:\windows\xUninstall.bat
2009-07-02 20:35 . 2009-07-02 20:35 -------- d-----w- c:\windows\JMCR_DIR
2009-07-02 20:35 . 2008-05-14 10:53 110080 ----a-w- c:\windows\system32\JmCrIcon.dll
2009-07-02 20:35 . 2009-07-02 20:35 129 ----a-w- c:\documents and settings\Yatish\Local Settings\Application Data\fusioncache.dat
2009-07-02 20:35 . 2009-07-02 13:12 60592 ----a-w- c:\documents and settings\Yatish\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\program files\Common Files\CrystalEye
2009-07-02 20:33 . 2008-06-13 12:13 4342912 ----a-w- c:\windows\system32\acer.exe
2009-07-02 20:33 . 2007-04-19 08:11 83554304 ----a-w- c:\windows\system32\acer.scr
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\program files\Acer Incorporated
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\windows\ACER
2009-07-02 20:32 . 2009-07-02 20:32 110576 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.exe
2009-07-02 20:32 . 2009-07-02 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Partner
2009-07-02 20:31 . 2009-07-02 08:40 -------- d-----w- c:\program files\Google
2009-07-02 20:30 . 2009-07-02 20:30 -------- d-----w- c:\program files\Launch Manager
2009-07-02 20:23 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-07-02 20:23 . 2008-04-15 03:00 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-07-02 20:23 . 2008-04-15 03:00 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-07-02 20:23 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-07-02 20:22 . 2009-07-02 19:31 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InstallShield
2009-07-02 20:22 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-07-02 20:22 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-07-02 20:22 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2009-07-02 20:21 . 2008-08-15 18:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2009-07-02 20:17 . 2008-04-15 03:00 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-07-02 20:17 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-02 20:17 . 2009-07-02 20:17 -------- d-----w- c:\windows\WebCam
2009-07-02 20:17 . 2008-04-14 00:12 53760 ----a-w- c:\windows\vfwwdm32.dll
2009-07-02 20:17 . 2008-04-15 03:00 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-07-02 19:36 . 2009-07-02 19:36 -------- d---a-w- c:\windows\AcerStore
2009-07-02 12:33 . 2009-07-02 12:33 -------- d-----w- c:\program files\Trend Micro
2009-07-02 10:33 . 2009-07-04 09:38 117760 ----a-w- c:\documents and settings\Yatish\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\documents and settings\Yatish\Application Data\SUPERAntiSpyware.com
2009-07-02 10:32 . 2009-07-02 10:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-02 10:27 . 2009-07-02 10:27 -------- d-----w- c:\documents and settings\Yatish\Application Data\Malwarebytes
2009-07-02 10:26 . 2009-06-17 05:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 10:26 . 2009-07-02 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 10:26 . 2009-06-17 05:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 10:26 . 2009-07-02 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 09:15 . 2009-07-02 09:15 -------- d-----w- c:\documents and settings\Yatish\Application Data\Media Player Classic
2009-07-02 09:14 . 2003-12-11 05:45 44544 ----a-w- c:\windows\system32\MSXML4a.dll
2009-07-02 09:14 . 2001-08-17 17:13 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-07-02 09:14 . 2006-06-20 10:36 237056 ----a-w- c:\windows\system32\winhttp5.dll
2009-07-02 09:14 . 1998-06-18 07:00 77824 ----a-w- c:\windows\system32\MSBIND.DLL
2009-07-02 09:14 . 1998-06-08 18:30 509440 ----a-w- c:\windows\system32\MSDE.DLL
2009-07-02 09:14 . 2000-07-15 07:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-07-02 09:14 . 2009-07-02 09:14 -------- d-----w- c:\program files\i.c.s SMS
2009-07-02 08:44 . 2009-07-03 11:44 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Adobe
2009-07-02 08:27 . 2009-07-02 08:27 -------- d-----w- c:\program files\uTorrent
2009-07-02 08:27 . 2009-07-04 09:47 -------- d-----w- c:\documents and settings\Yatish\Application Data\uTorrent
2009-07-02 08:17 . 2009-07-02 08:22 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Temp
2009-07-02 08:14 . 2009-07-02 08:16 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 20:35 . 2008-08-15 18:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-02 20:26 . 2009-07-02 20:24 -------- d-----w- c:\documents and settings\Yatish\Application Data\SiteAdvisor
2009-07-02 19:36 . 2004-09-21 21:28 3 ----a-w- c:\windows\HotFix.bat
2009-07-02 19:36 . 2004-06-26 00:13 139 ----a-w- c:\windows\HotFix2.bat
2009-07-02 19:33 . 2008-08-15 18:11 -------- d-----w- c:\program files\SiteAdvisor
2009-07-02 19:33 . 2008-08-15 17:59 -------- d-----w- c:\program files\Realtek
2009-07-02 19:33 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works
2009-07-02 19:33 . 2008-08-15 18:15 -------- d-----w- c:\program files\Microsoft.NET
2009-07-02 19:33 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Office Suite Activation Assistant
2009-07-02 19:32 . 2008-08-15 18:07 -------- d-----w- c:\program files\McAfee.com
2009-07-02 19:32 . 2008-08-15 17:37 -------- d-----w- c:\program files\microsoft frontpage
2009-07-02 19:32 . 2008-08-15 18:12 -------- d-----w- c:\program files\InterVideo
2009-07-02 19:32 . 2008-08-15 17:41 -------- d-----w- c:\program files\Intel
2009-07-02 19:32 . 2008-08-15 18:07 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-02 19:32 . 2008-08-15 18:12 -------- d-----w- c:\program files\Common Files\InterVideo
2009-07-02 19:32 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-02 19:32 . 2008-08-15 17:58 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-02 19:32 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-02 19:32 . 2008-08-15 18:00 -------- d-----w- c:\program files\Atheros
2009-07-02 19:31 . 2009-07-02 20:24 -------- d-----w- c:\documents and settings\Yatish\Application Data\InstallShield
2009-07-02 19:31 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-02 19:31 . 2008-08-15 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-02 19:31 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-02 19:31 . 2008-08-15 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros
2009-07-02 09:10 . 2009-07-02 09:10 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-02 08:40 . 2008-08-15 18:09 -------- d-----w- c:\program files\McAfee
2009-07-02 08:12 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2008-04-15 03:00 . 2008-04-15 03:00 90520 --sha-r- c:\windows\system32\jktbyy.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-03_08.35.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-15 19:59 . 2009-07-03 08:23 63418 c:\windows\system32\perfc009.dat
+ 2008-08-15 19:59 . 2009-07-04 09:42 63418 c:\windows\system32\perfc009.dat
+ 2009-07-02 20:19 . 2009-07-04 09:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-02 20:19 . 2009-07-04 09:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-02 20:19 . 2009-07-04 09:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-15 19:59 . 2009-07-04 09:42 402974 c:\windows\system32\perfh009.dat
- 2008-08-15 19:59 . 2009-07-03 08:23 402974 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"Google Update"="c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-02 133104]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-02 288048]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-02 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-5 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 06:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5129:TCP"= 5129:TCP:ubbyrbx

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 9:31 PM 254976]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S2 llfhwuy;Support Time;c:\windows\system32\svchost.exe -k netsvcs [4/15/2008 8:30 AM 14336]
S3 Partner Service;Partner Service;c:\documents and settings\All Users\Application Data\Partner\partner.exe [7/3/2009 2:02 AM 110576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MFERKDK

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
llfhwuy
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4122549485-511491495-4049359616-1006Core.job
- c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 08:16]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4122549485-511491495-4049359616-1006UA.job
- c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 08:16]

2008-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 08:02]

2008-08-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {AA2F2604-DCA6-420C-BC90-659D50DBED79} = 125.22.47.125,202.56.250.5
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 15:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\llfhwuy]
"ServiceDll"="c:\windows\system32\jktbyy.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2156)
c:\program files\SiteAdvisor\6172\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-07-04 15:23
ComboFix-quarantined-files.txt 2009-07-04 09:53
ComboFix2.txt 2009-07-03 08:36

Pre-Run: 143,844,052,992 bytes free
Post-Run: 143,832,129,536 bytes free

222

[richiejain]

Dear Ried,

As for the link you provided, I am still not able to open any antivirus sites...

Richie

[Ried]

That's because the CFScript I gave you to do, did not carry out as listed. Let's try this again. This time, I've attached the CFScript.txt for you. Download it and save it to your desktop - the same place as where CombFix.exe is located.


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Post the C:\ComboFix.txt

[richiejain]

Hey i did what you told me twice

but still dont get that message of Dont be alarmed..

here is the log again.

ComboFix 09-07-05.03 - Yatish 07/06/2009 13:06.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.594 [GMT 5.5:30]
Running from: c:\documents and settings\Yatish\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Yatish\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 07:33 . 2009-07-06 07:33 -------- d-----w- c:\windows\LastGood
2009-07-02 20:39 . 2009-07-02 11:16 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Google
2009-07-02 20:36 . 2007-04-13 06:21 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE
2009-07-02 20:36 . 2006-03-30 07:36 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe
2009-07-02 20:36 . 2006-03-23 06:32 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe
2009-07-02 20:36 . 2005-12-09 03:42 16384 ----a-w- c:\windows\system32\ClearEvent.exe
2009-07-02 20:36 . 2004-11-03 03:36 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll
2009-07-02 20:35 . 2009-07-02 20:35 125 ----a-w- c:\windows\xUninstall.bat
2009-07-02 20:35 . 2009-07-02 20:35 -------- d-----w- c:\windows\JMCR_DIR
2009-07-02 20:35 . 2008-05-14 10:53 110080 ----a-w- c:\windows\system32\JmCrIcon.dll
2009-07-02 20:35 . 2009-07-02 20:35 129 ----a-w- c:\documents and settings\Yatish\Local Settings\Application Data\fusioncache.dat
2009-07-02 20:35 . 2009-07-02 13:12 60592 ----a-w- c:\documents and settings\Yatish\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\program files\Common Files\CrystalEye
2009-07-02 20:33 . 2008-06-13 12:13 4342912 ----a-w- c:\windows\system32\acer.exe
2009-07-02 20:33 . 2007-04-19 08:11 83554304 ----a-w- c:\windows\system32\acer.scr
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\program files\Acer Incorporated
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\windows\ACER
2009-07-02 20:32 . 2009-07-02 20:32 110576 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.exe
2009-07-02 20:32 . 2009-07-02 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Partner
2009-07-02 20:31 . 2009-07-02 08:40 -------- d-----w- c:\program files\Google
2009-07-02 20:30 . 2009-07-02 20:30 -------- d-----w- c:\program files\Launch Manager
2009-07-02 20:23 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-07-02 20:23 . 2008-04-15 03:00 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-07-02 20:23 . 2008-04-15 03:00 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-07-02 20:23 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-07-02 20:22 . 2009-07-02 19:31 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InstallShield
2009-07-02 20:22 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-07-02 20:22 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-07-02 20:22 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2009-07-02 20:21 . 2008-08-15 18:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2009-07-02 20:17 . 2008-04-15 03:00 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-07-02 20:17 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-02 20:17 . 2009-07-02 20:17 -------- d-----w- c:\windows\WebCam
2009-07-02 20:17 . 2008-04-14 00:12 53760 ----a-w- c:\windows\vfwwdm32.dll
2009-07-02 20:17 . 2008-04-15 03:00 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-07-02 19:36 . 2009-07-02 19:36 -------- d---a-w- c:\windows\AcerStore
2009-07-02 12:33 . 2009-07-02 12:33 -------- d-----w- c:\program files\Trend Micro
2009-07-02 10:33 . 2009-07-06 07:32 117760 ----a-w- c:\documents and settings\Yatish\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\documents and settings\Yatish\Application Data\SUPERAntiSpyware.com
2009-07-02 10:32 . 2009-07-02 10:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-02 10:27 . 2009-07-02 10:27 -------- d-----w- c:\documents and settings\Yatish\Application Data\Malwarebytes
2009-07-02 10:26 . 2009-06-17 05:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 10:26 . 2009-07-02 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 10:26 . 2009-06-17 05:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 10:26 . 2009-07-02 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 09:15 . 2009-07-02 09:15 -------- d-----w- c:\documents and settings\Yatish\Application Data\Media Player Classic
2009-07-02 09:14 . 2003-12-11 05:45 44544 ----a-w- c:\windows\system32\MSXML4a.dll
2009-07-02 09:14 . 2001-08-17 17:13 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-07-02 09:14 . 2006-06-20 10:36 237056 ----a-w- c:\windows\system32\winhttp5.dll
2009-07-02 09:14 . 1998-06-18 07:00 77824 ----a-w- c:\windows\system32\MSBIND.DLL
2009-07-02 09:14 . 1998-06-08 18:30 509440 ----a-w- c:\windows\system32\MSDE.DLL
2009-07-02 09:14 . 2000-07-15 07:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-07-02 09:14 . 2009-07-02 09:14 -------- d-----w- c:\program files\i.c.s SMS
2009-07-02 08:44 . 2009-07-03 11:44 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Adobe
2009-07-02 08:27 . 2009-07-02 08:27 -------- d-----w- c:\program files\uTorrent
2009-07-02 08:27 . 2009-07-06 07:33 -------- d-----w- c:\documents and settings\Yatish\Application Data\uTorrent
2009-07-02 08:17 . 2009-07-02 08:22 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Temp
2009-07-02 08:14 . 2009-07-02 08:16 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 20:35 . 2008-08-15 18:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-02 20:26 . 2009-07-02 20:24 -------- d-----w- c:\documents and settings\Yatish\Application Data\SiteAdvisor
2009-07-02 19:36 . 2004-09-21 21:28 3 ----a-w- c:\windows\HotFix.bat
2009-07-02 19:36 . 2004-06-26 00:13 139 ----a-w- c:\windows\HotFix2.bat
2009-07-02 19:33 . 2008-08-15 18:11 -------- d-----w- c:\program files\SiteAdvisor
2009-07-02 19:33 . 2008-08-15 17:59 -------- d-----w- c:\program files\Realtek
2009-07-02 19:33 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works
2009-07-02 19:33 . 2008-08-15 18:15 -------- d-----w- c:\program files\Microsoft.NET
2009-07-02 19:33 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Office Suite Activation Assistant
2009-07-02 19:32 . 2008-08-15 18:07 -------- d-----w- c:\program files\McAfee.com
2009-07-02 19:32 . 2008-08-15 17:37 -------- d-----w- c:\program files\microsoft frontpage
2009-07-02 19:32 . 2008-08-15 18:12 -------- d-----w- c:\program files\InterVideo
2009-07-02 19:32 . 2008-08-15 17:41 -------- d-----w- c:\program files\Intel
2009-07-02 19:32 . 2008-08-15 18:07 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-02 19:32 . 2008-08-15 18:12 -------- d-----w- c:\program files\Common Files\InterVideo
2009-07-02 19:32 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-02 19:32 . 2008-08-15 17:58 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-02 19:32 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-02 19:32 . 2008-08-15 18:00 -------- d-----w- c:\program files\Atheros
2009-07-02 19:31 . 2009-07-02 20:24 -------- d-----w- c:\documents and settings\Yatish\Application Data\InstallShield
2009-07-02 19:31 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-02 19:31 . 2008-08-15 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-02 19:31 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-02 19:31 . 2008-08-15 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros
2009-07-02 09:10 . 2009-07-02 09:10 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-02 08:40 . 2008-08-15 18:09 -------- d-----w- c:\program files\McAfee
2009-07-02 08:12 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
.

((((((((((((((((((((((((((((( SnapShot@2009-07-03_08.35.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 08:39 . 2008-10-16 08:39 43544 c:\windows\system32\wups2.dll
+ 2008-04-15 03:00 . 2008-10-16 08:39 51224 c:\windows\system32\wuauclt.exe
+ 2009-07-06 07:33 . 2008-10-16 08:38 34328 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
- 2008-08-15 19:59 . 2009-07-03 08:23 63418 c:\windows\system32\perfc009.dat
+ 2008-08-15 19:59 . 2009-07-06 07:35 63418 c:\windows\system32\perfc009.dat
+ 2008-04-15 03:00 . 2008-10-16 08:39 51224 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-15 03:00 . 2008-10-16 08:39 92696 c:\windows\system32\dllcache\cdm.dll
+ 2009-07-02 20:19 . 2009-07-06 06:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-02 20:19 . 2009-07-06 06:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-02 20:19 . 2009-07-06 06:11 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-15 03:00 . 2008-10-16 08:39 92696 c:\windows\system32\cdm.dll
+ 2009-07-06 07:33 . 2008-04-15 03:00 32256 c:\windows\LastGood\system32\wups.dll
+ 2009-07-06 07:33 . 2008-04-15 03:00 66560 c:\windows\LastGood\system32\cdm.dll
+ 2008-04-15 03:00 . 2008-10-16 08:43 202776 c:\windows\system32\wuweb.dll
+ 2008-04-15 03:00 . 2008-10-16 08:42 323608 c:\windows\system32\wucltui.dll
+ 2008-04-15 03:00 . 2008-10-16 08:42 561688 c:\windows\system32\wuapi.dll
- 2008-08-15 19:59 . 2009-07-03 08:23 402974 c:\windows\system32\perfh009.dat
+ 2008-08-15 19:59 . 2009-07-06 07:35 402974 c:\windows\system32\perfh009.dat
+ 2008-04-15 03:00 . 2008-10-16 08:43 202776 c:\windows\system32\dllcache\wuweb.dll
+ 2008-04-15 03:00 . 2008-10-16 08:42 323608 c:\windows\system32\dllcache\wucltui.dll
+ 2008-04-15 03:00 . 2008-10-16 08:42 561688 c:\windows\system32\dllcache\wuapi.dll
+ 2009-07-06 07:33 . 2008-04-15 03:00 120320 c:\windows\LastGood\system32\wuweb.dll
+ 2009-07-06 07:33 . 2008-04-15 03:00 112640 c:\windows\LastGood\system32\wucltui.dll
+ 2009-07-06 07:33 . 2008-04-15 03:00 111104 c:\windows\LastGood\system32\wuauclt.exe
+ 2009-07-06 07:33 . 2008-04-15 03:00 430592 c:\windows\LastGood\system32\wuapi.dll
+ 2008-04-15 03:00 . 2008-10-16 08:43 1809944 c:\windows\system32\wuaueng.dll
+ 2008-04-15 03:00 . 2008-10-16 08:43 1809944 c:\windows\system32\dllcache\wuaueng.dll
+ 2009-07-06 07:33 . 2008-04-15 03:00 1135616 c:\windows\LastGood\system32\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"Google Update"="c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-02 133104]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-02 288048]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-02 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-5 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 06:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 9:31 PM 254976]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 Partner Service;Partner Service;c:\documents and settings\All Users\Application Data\Partner\partner.exe [7/3/2009 2:02 AM 110576]
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4122549485-511491495-4049359616-1006Core.job
- c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 08:16]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4122549485-511491495-4049359616-1006UA.job
- c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 08:16]

2008-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 08:02]

2008-08-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {AA2F2604-DCA6-420C-BC90-659D50DBED79} = 125.22.47.125,202.56.250.5
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 13:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(132)
c:\program files\SiteAdvisor\6172\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-07-06 13:10
ComboFix-quarantined-files.txt 2009-07-06 07:40
ComboFix2.txt 2009-07-06 07:33
ComboFix3.txt 2009-07-04 09:53
ComboFix4.txt 2009-07-03 08:36

Pre-Run: 143,699,075,072 bytes free
Post-Run: 143,689,482,240 bytes free

235

[Ried]

It looks like the 3rd run did what I wanted it to do. Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.

[richiejain]

2009-07-06 07:36:32 . 2009-07-06 07:36:32 214 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2009-07-06 07:29:58 . 2009-07-06 07:29:58 1,138 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_jktbyy_.dll.zip
2009-07-06 07:29:29 . 2009-07-06 07:29:29 2,966 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_llfhwuy.reg.dat
2009-07-06 07:29:29 . 2009-07-06 07:29:29 1,036 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_LLFHWUY.reg.dat
2009-07-06 07:27:05 . 2009-07-06 07:27:06 82,091 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2009-07-06_12.57.04.zip
2009-07-03 08:36:07 . 2009-07-03 08:36:07 148 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-M3000Mnt.reg.dat
2009-07-03 08:34:58 . 2009-07-06 07:38:38 6,758 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-07-03 08:28:19 . 2009-07-06 07:35:57 735 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-07-02 09:17:17 . 2009-07-02 09:17:17 41,461,760 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\35fc9e.msi.vir
2008-04-15 03:00:00 . 2008-04-15 03:00:00 90,520 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jktbyy.dll.vir

[Ried]

Please visit this site and copy paste the following bolded text into the 'browse to file to submit' box:

C:\Qoobox\Quarantine\[4]-Submit_2009-07-06_12.57.04.zip

Click 'Send File'

[richiejain]

done that..

Hey what now?

[Ried]

What now? How about you tell me how the system is behaving? What issues remain?


I'll also need you to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:


Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[richiejain]

Hey thanks a ton...

will let you know about the behaviour soon