Registry and Task manager Disabled By Admin

My task manager and Reg file are disabled by the administrator. I have just run Hijack This and copied the output here. I need help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:44 AM, on 1/13/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SCVVHSOT.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\SCVVHSOT.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kapil\Desktop\HiJackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SCVVHSOT.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SCVVHSOT.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5474 bytes

 

Welcome to WindowsBBS rockingkaps

We need to use another tool to get a better look at things. Download Deckard's System Scanner (dss.exe) and save it to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

Thanks Dave

Here are the details of Mail.txt after i followe what u recommended

Deckard's System Scanner v20071014.68
Run by Kapil on 2008-01-13 13:50:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 1 Restore Point(s) --
1: 2008-01-13 08:20:33 UTC - RP9 - Deckard's System Scanner Restore Point


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Kapil.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:39 PM, on 1/13/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Kapil\Desktop\dss.exe
C:\DOCUME~1\Kapil\Desktop\Kapil.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SCVVHSOT.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SCVVHSOT.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5199 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1 ",%*
.vbs - XingMpeg - DefaultIcon - unable to read value
.vbs - XingMpeg - shell\open\command - C:\Program Files\xmplayer\xmplayer.exe %1
.vbs - XingMpeg - shell\edit\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_27A2&SUBSYS_380117AA&REV_03\3&B1BFB68&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_27A2&SUBSYS_380117AA&REV_03\3&B1BFB68&0&10
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller
Device ID: PCI\VEN_8086&DEV_27A6&SUBSYS_380117AA&REV_03\3&B1BFB68&0&11
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_8086&DEV_27A6&SUBSYS_380117AA&REV_03\3&B1BFB68&0&11
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Network Controller
Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_046514E4&REV_01\4&20975680&0&00E1
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_046514E4&REV_01\4&20975680&0&00E1
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_382B17AA&REV_01\4&6B16D5B&0&32F0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_382B17AA&REV_01\4&6B16D5B&0&32F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_382C17AA&REV_0A\4&6B16D5B&0&33F0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_382C17AA&REV_0A\4&6B16D5B&0&33F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_382D17AA&REV_05\4&6B16D5B&0&34F0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_382D17AA&REV_05\4&6B16D5B&0&34F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\VPC2004\0
Manufacturer:
Name:
PNP Device ID: ACPI\VPC2004\0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_380F17AA&REV_02\3&B1BFB68&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_380F17AA&REV_02\3&B1BFB68&0&FB
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-01-12 23:09:34 354 --a------ C:\WINDOWS\Tasks\At1.job
2008-01-04 23:09:24 530 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Kapil.job


-- Files created between 2007-12-13 and 2008-01-13 -----------------------------

2008-01-13 13:37:57 0 d-------- C:\WINDOWS\LastGood
2008-01-12 23:36:01 264192 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-01-12 23:36:01 25600 --a------ C:\WINDOWS\Inetmib1.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-01-12 23:36:00 22528 --a------ C:\WINDOWS\Snmpapi.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-01-12 23:36:00 0 d-------- C:\Program Files\iolo
2008-01-12 20:24:17 28672 --a------ C:\Documents and Settings\Kapil\xXx.exe
2008-01-12 20:09:12 0 d-------- C:\Documents and Settings\Kapil\Application Data\Google
2008-01-12 20:06:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-01-12 19:35:10 0 d-------- C:\Program Files\Microsoft.NET
2008-01-12 19:34:39 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-01-12 19:32:18 0 d-------- C:\WINDOWS\SHELLNEW
2008-01-09 23:04:25 0 d-------- C:\Program Files\Winamp
2008-01-09 22:55:46 22992 --a------ C:\WINDOWS\system\DDRAW16.DLL <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows® 95>
2008-01-09 22:55:45 31744 --a------ C:\WINDOWS\system32\DDHELP.EXE <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows® 95>
2008-01-09 22:55:43 17920 --a------ C:\WINDOWS\rsdll.dll
2008-01-09 22:55:42 593920 --a------ C:\WINDOWS\system32\rsagnt32.dll <Not Verified; Release Software Corporation; Release Software Corporation SalesAgent>
2008-01-09 22:55:42 0 d-------- C:\Program Files\xmplayer
2008-01-09 22:52:41 0 d-------- C:\WINDOWS\Prefetch
2008-01-09 21:39:30 0 d-------- C:\PUB
2008-01-09 21:35:26 82032 --a------ C:\WINDOWS\winsbak2.reg
2008-01-09 21:35:26 11026 --a------ C:\WINDOWS\winsbak.reg
2008-01-09 21:35:16 0 d-------- C:\Documents and Settings\remoteservice\Templates
2008-01-09 21:35:16 0 d-------- C:\Documents and Settings\LocalService\Templates
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\remoteservice\Start Menu
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\remoteservice\Favorites
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\remoteservice\Documents
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\remoteservice\Desktop
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\remoteservice\Application Data
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\LocalService\Favorites
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\LocalService\Documents
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-01-09 21:34:08 0 d-------- C:\WINDOWS\system32\FLCSS.EXE
2008-01-09 21:02:03 0 d-------- C:\Documents and Settings\Kapil\Application Data\Lavasoft
2008-01-09 20:56:44 0 d-------- C:\Program Files\Lavasoft
2008-01-05 23:54:53 0 d--h----- C:\WINDOWS\PIF
2008-01-05 23:42:41 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-05 23:23:19 0 d-------- C:\Program Files\Google
2008-01-05 00:33:24 0 d-------- C:\WINDOWS\system32\Lang
2008-01-05 00:29:08 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-01-05 00:27:59 0 d-------- C:\WINDOWS\system32\RTCOM
2008-01-05 00:25:05 0 d---s---- C:\Documents and Settings\Kapil\UserData
2008-01-05 00:23:44 0 d-------- C:\Program Files\Realtek
2008-01-05 00:23:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-05 00:22:57 499712 -r------- C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-01-05 00:22:36 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-04 23:24:43 0 d--hs---- C:\Recycled
2008-01-04 23:17:17 290419 -rahs---- C:\WINDOWS\system32\SCVVHSOT.exe
2008-01-04 23:17:17 290419 -rahs---- C:\WINDOWS\system32\blastclnnn.exe
2008-01-04 23:17:17 290419 --a------ C:\WINDOWS\SCVVHSOT.exe
2008-01-04 23:07:40 0 d-------- C:\Documents and Settings\Kapil\Application Data\Symantec
2008-01-04 23:04:08 0 d-------- C:\Program Files\Norton AntiVirus
2008-01-04 23:03:54 0 d-------- C:\Program Files\Symantec
2008-01-04 23:03:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-04 23:03:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-04 22:59:46 0 d-------- C:\Documents and Settings\Kapil\Application Data\Identities
2008-01-04 22:59:37 0 d--h----- C:\Documents and Settings\Kapil\Templates
2008-01-04 22:59:37 0 d-------- C:\Documents and Settings\Kapil\Start Menu
2008-01-04 22:59:37 0 dr-h----- C:\Documents and Settings\Kapil\SendTo
2008-01-04 22:59:37 0 dr-h----- C:\Documents and Settings\Kapil\Recent
2008-01-04 22:59:37 0 d--h----- C:\Documents and Settings\Kapil\PrintHood
2008-01-04 22:59:37 1048576 --ah----- C:\Documents and Settings\Kapil\NTUSER.DAT
2008-01-04 22:59:37 0 d--h----- C:\Documents and Settings\Kapil\NetHood
2008-01-04 22:59:37 0 dr------- C:\Documents and Settings\Kapil\My Documents
2008-01-04 22:59:37 0 d--h----- C:\Documents and Settings\Kapil\Local Settings
2008-01-04 22:59:37 0 dr------- C:\Documents and Settings\Kapil\Favorites
2008-01-04 22:59:37 0 d-------- C:\Documents and Settings\Kapil\Desktop
2008-01-04 22:59:37 0 d---s---- C:\Documents and Settings\Kapil\Cookies
2008-01-04 22:59:37 0 d--h----- C:\Documents and Settings\Kapil\Application Data
2008-01-04 22:58:49 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-01-04 22:58:49 0 d--hs---- C:\System Volume Information
2008-01-04 22:58:48 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-01-04 22:58:47 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-01-04 22:58:47 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-01-04 22:58:47 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-01-04 22:58:47 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-01-04 22:58:47 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-01-04 22:58:34 237568 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-01-04 22:58:34 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-01-04 22:58:34 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-01-04 22:58:34 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-01-04 22:58:34 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-01-04 22:53:57 0 d-------- C:\WINDOWS\system32\xircom
2008-01-04 22:53:57 0 d-------- C:\Program Files\microsoft frontpage
2008-01-04 22:53:44 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-01-04 22:53:38 1056 --ahs---- C:\vaz4a2ma.sys
2008-01-04 22:53:38 0 -rahs---- C:\MSDOS.SYS
2008-01-04 22:53:38 0 -rahs---- C:\IO.SYS
2008-01-04 22:53:38 0 --a------ C:\CONFIG.SYS
2008-01-04 22:53:38 0 --a------ C:\AUTOEXEC.BAT
2008-01-04 22:52:36 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-01-04 22:52:26 0 dr------- C:\WINDOWS\Offline Web Pages
2008-01-04 22:52:26 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-01-04 22:51:57 0 d-------- C:\WINDOWS\system32\DirectX
2008-01-04 22:51:21 0 d---s---- C:\WINDOWS\Tasks
2008-01-04 22:51:20 0 d-------- C:\Program Files\Common Files\MSSoap
2008-01-04 22:51:17 0 d-------- C:\WINDOWS\srchasst
2008-01-04 22:51:16 0 d-------- C:\WINDOWS\system32\Macromed
2008-01-04 22:51:09 0 d-------- C:\Program Files\Movie Maker
2008-01-04 22:51:00 0 d-------- C:\WINDOWS\system32\Restore
2008-01-04 22:50:16 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-01-04 22:49:52 0 d-------- C:\WINDOWS\Registration
2008-01-04 22:49:44 0 d--h----- C:\Program Files\WindowsUpdate
2008-01-04 22:49:44 0 d-------- C:\Program Files\Online Services
2008-01-04 22:49:36 0 d-------- C:\Program Files\Messenger
2008-01-04 22:49:32 0 d-------- C:\Program Files\MSN Gaming Zone
2008-01-04 22:48:49 0 d-------- C:\Program Files\Windows NT
2008-01-04 22:48:44 0 d-------- C:\WINDOWS\system32\MsDtc
2008-01-04 22:48:41 0 d-------- C:\WINDOWS\system32\Com
2008-01-04 22:43:26 0 d--hs---- C:\WINDOWS\Installer
2008-01-04 22:43:25 0 d-------- C:\Program Files\Common Files\ODBC
2008-01-04 22:43:22 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-01-04 22:43:21 0 d-------- C:\Program Files
2008-01-04 22:43:21 0 d-------- C:\Program Files\Common Files
2008-01-04 22:42:57 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-01-04 22:42:57 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-01-04 22:42:57 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-01-04 22:42:57 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-01-04 22:42:57 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-01-04 22:42:57 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-01-04 22:42:57 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-01-04 22:42:57 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-01-04 22:42:57 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\All Users\Start Menu
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-01-04 22:42:57 0 dr------- C:\Documents and Settings\All Users\Documents
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-01-04 22:42:45 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-01-04 22:42:45 0 d-------- C:\WINDOWS\system32\CatRoot
2008-01-04 22:42:40 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-01-04 22:42:40 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-01-04 22:42:39 0 d--h----- C:\Documents and Settings\All Users\Application Data
2008-01-04 22:42:39 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-01-04 22:42:14 0 d-------- C:\Documents and Settings
2008-01-04 22:35:40 0 d-------- C:\WINDOWS
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\WinSxS
2008-01-04 22:35:40 0 dr------- C:\WINDOWS\Web
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\twain_32
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\wins
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\wbem
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\usmt
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\spool
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\ShellExt
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\Setup
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\ras
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\oobe
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\npp
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\mui
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\inetsrv
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\IME
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\icsxml
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\ias
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\export
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\drivers
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-01-04 22:35:40 0 dr-hs---- C:\WINDOWS\system32\dllcache
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\dhcp
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\config
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\3076
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\2052
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1054
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1042
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1041
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1037
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1033
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1031
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1028
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1025
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\security
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Resources
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\repair
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Provisioning
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\PeerNet
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\pchealth
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\mui
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\msapps
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\msagent
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Media
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\java
2008-01-04 22:35:40 0 d--h----- C:\WINDOWS\inf
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\ime
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Help
2008-01-04 22:35:40 0 dr--s---- C:\WINDOWS\Fonts
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Driver Cache
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Debug
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Cursors
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Connection Wizard
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Config
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\AppPatch
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-01-04 22:42:58 62 --ahs---- C:\Documents and Settings\Kapil\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel "= "SkyTel.EXE" [11/02/2006 02:06 PM C:\WINDOWS\SkyTel.exe]
"RTHDCPL "= "RTHDCPL.EXE" [11/02/2006 02:06 PM C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr "= "ALCMTR.EXE" [11/02/2006 02:06 PM C:\WINDOWS\ALCMTR.EXE]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/12/2006 02:25 AM]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [12/21/2004 12:11 AM]
"AGRSMMSG "= "AGRSMMSG.exe" [11/02/2006 02:06 PM C:\WINDOWS\AGRSMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [03/12/2004 02:29 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Yahoo Messengger "=C:\WINDOWS\system32\SCVVHSOT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy "=0 (0x0)
"SynchronousUserGroupPolicy "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"DisableTaskMgr "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr "=0 (0x0)
"DisableRegistryTools "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions "=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions "=1 (0x1)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4672d050-baec-11dc-b857-806d6172696f}]
AutoRun\command- G:\SCVVHSOT.exe
Open\command- G:\SCVVHSOT.exe




-- End of Deckard's System Scanner: finished at 2008-01-13 13:52:48 ------------

 

Highlight and copy the bolded command below.

"%userprofile%\desktop\dss.exe" /daft

• Click Start>Run and paste the command in, then hit enter.
• An interface of Deckards file association fix will open.
• Click Scan.
• cpl should come up in the list.
• Check the box next to it (all instances of cpl), then click Fix.
• Exit when complete.

Check to see if you can access the Control Panel now.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC now button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Select the appropriate Yes or No to receiving marketing information
• Click the Free Online Scan button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report along with a fresh dss scan log.

 

Hi there

Here is the report of Panda Active Scan


Incident Status Location

Virus:Bck/Sniper.J Disinfected Operating system
Virus:Bck/Sniper.J Disinfected C:\WINDOWS\SYSTEM32\blastclnnn.exe
Virus:W32/Sohanat.DZ.worm Disinfected C:\WINDOWS\SYSTEM32\AUTORUN.INI
Virus:Bck/Sniper.J Disinfected C:\WINDOWS\SCVVHSOT.EXE
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Kapil\Cookies\kapil@cgi-bin[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Kapil\Cookies\kapil@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Kapil\Cookies\kapil@searchportal.information[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Kapil\Cookies\kapil@burstnet[2].txt
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\10 Debt Consilidation\10 Articles\10 Articles.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\10 Links\25-6-2007\25-6-2007.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\leads\EMPLOYMENT\EMPLOYMENT.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\leads\SOFTWARE\SOFTWARE.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\ONE WAY LINKS\24 JULY, 2007\24 JULY, 2007.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\ONE WAY LINKS\30 JULY,2007\30 JULY,2007.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\10 August,2007\10 August,2007.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\10 August,2007\ORIG\22 Articles\22 Articles.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\10 August,2007\ORIG\ORIG.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\10 August,2007\REWRITE\REWRITE.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\20 August,2007.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\ORIG\bad credit loan\bad credit loan.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\ORIG\data recovery\data recovery.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\ORIG\Dental implants\Dental implants.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\ORIG\dna test\dna test.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\ORIG\ORIG.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\REWRITE\bad credit loan-RW\bad credit loan-RW.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\REWRITE\data recovery-RW\data recovery-RW.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\REWRITE\Dental implants-RW\Dental implants-RW.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\REWRITE\dna test-RW\dna test-RW.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\20 August,2007\REWRITE\REWRITE.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\24 August,2007\24 August,2007.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\24 August,2007\ORIG\drug treatment\drug treatment.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\24 August,2007\ORIG\ORIG.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\24 August,2007\ORIG\penny stocks\penny stocks.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\24 August,2007\ORIG\Prefab Garage\Prefab Garage.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\24 August,2007\REWRITE\drug treatment-RW\drug treatment-RW.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\24 August,2007\REWRITE\penny stocks-RW\penny stocks-RW.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\24 August,2007\REWRITE\Prefab Garage-RW\Prefab Garage-RW.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\24 August,2007\REWRITE\REWRITE.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\28 August,2007\28 August,2007.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\28 August,2007\ORIG\Cruise Insurance\Cruise Insurance.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\28 August,2007\ORIG\Home Office furniture\Home Office furniture.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\28 August,2007\ORIG\ORIG.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\28 August,2007\REWRITE\Cruise Insurance-RW\Cruise Insurance-RW.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\28 August,2007\REWRITE\Home Office furniture-RW\Home Office furniture-RW.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\28 August,2007\REWRITE\REWRITE.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\7 August,2007\7 August,2007.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\7 August,2007\ORIG\ORIG.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\7 August,2007\ORIG\yeast infection\yeast infection.exe
Virus:Bck/Sniper.J Disinfected E:\BACK-UP\PR\7 August,2007\REWRITE\REWRITE.exe
Virus:Bck/Sniper.J Disinfected E:\DUMPS\corel12\409\409.exe
Virus:Bck/Sniper.J Disinfected E:\DUMPS\corel12\Apple\Apple.exe
Virus:Bck/Sniper.J Disinfected E:\DUMPS\corel12\Apple\EN\EN.exe
Virus:Bck/Sniper.J Disinfected E:\DUMPS\corel12\Corel SVG\Corel SVG.exe
Virus:Bck/Sniper.J Disinfected E:\DUMPS\corel12\English\Administrator\Administrator.exe
Virus:Bck/Sniper.J Disinfected E:\DUMPS\corel12\English\English.exe
Virus:Bck/Sniper.J Disinfected E:\DUMPS\corel12\Setup\Autorun\Autorun.exe
Virus:Bck/Sniper.J Disinfected E:\DUMPS\corel12\Setup\Setup.exe
Virus:Bck/Sniper.J Disinfected E:\DUMPS\phptohtmlconverter\phptohtmlconverter.exe
Virus:Bck/Sniper.J Disinfected E:\PICS\Amit\Amit.exe
Virus:Bck/Sniper.J Disinfected E:\PICS\Jimmy\Friends\Friends.exe
Virus:Bck/Sniper.J Disinfected E:\XYZ\Certificates\Certificate\Certificate.exe
Virus:Bck/Sniper.J Disinfected E:\XYZ\Certificates\Certificates.exe
Virus:Bck/Sniper.J Disinfected E:\XYZ\RESUMES\RESUMES.exe

Thanks

 

Here is the report of DSS Scan

Deckard's System Scanner v20071014.68
Run by Kapil on 2008-01-14 07:56:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Kapil.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:48 AM, on 1/14/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\_svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kapil\Desktop\dss.exe
C:\DOCUME~1\Kapil\Desktop\Kapil.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Int Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 4951 bytes

-- Files created between 2007-12-14 and 2008-01-14 -----------------------------

2008-01-14 01:02:08 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 01:02:03 0 d-------- C:\WINDOWS\LastGood
2008-01-14 00:11:06 6144 --a------ C:\ie_updater.exe
2008-01-14 00:11:04 6144 --a------ C:\WINDOWS\system32\_svchost.exe
2008-01-14 00:11:04 6144 --a------ C:\Documents and Settings\Kapil\ie_updates3r.exe
2008-01-13 14:56:39 0 d-------- C:\Documents and Settings\Kapil\Application Data\Helios
2008-01-13 14:56:11 0 d-------- C:\Program Files\TextPad 5
2008-01-13 14:23:47 0 d-------- C:\Program Files\WS_FTP
2008-01-12 23:36:01 264192 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-01-12 23:36:01 25600 --a------ C:\WINDOWS\Inetmib1.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-01-12 23:36:00 22528 --a------ C:\WINDOWS\Snmpapi.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-01-12 23:36:00 0 d-------- C:\Program Files\iolo
2008-01-12 20:24:17 28672 --a------ C:\Documents and Settings\Kapil\xXx.exe
2008-01-12 20:09:12 0 d-------- C:\Documents and Settings\Kapil\Application Data\Google
2008-01-12 20:06:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-01-12 19:35:10 0 d-------- C:\Program Files\Microsoft.NET
2008-01-12 19:34:39 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-01-12 19:32:18 0 d-------- C:\WINDOWS\SHELLNEW
2008-01-09 23:04:25 0 d-------- C:\Program Files\Winamp
2008-01-09 22:55:46 22992 --a------ C:\WINDOWS\system\DDRAW16.DLL <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows® 95>
2008-01-09 22:55:45 31744 --a------ C:\WINDOWS\system32\DDHELP.EXE <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows® 95>
2008-01-09 22:55:43 17920 --a------ C:\WINDOWS\rsdll.dll
2008-01-09 22:55:42 593920 --a------ C:\WINDOWS\system32\rsagnt32.dll <Not Verified; Release Software Corporation; Release Software Corporation SalesAgent>
2008-01-09 22:55:42 0 d-------- C:\Program Files\xmplayer
2008-01-09 22:52:41 0 d-------- C:\WINDOWS\Prefetch
2008-01-09 21:39:30 0 d-------- C:\PUB
2008-01-09 21:35:26 82032 --a------ C:\WINDOWS\winsbak2.reg
2008-01-09 21:35:26 11026 --a------ C:\WINDOWS\winsbak.reg
2008-01-09 21:35:16 0 d-------- C:\Documents and Settings\remoteservice\Templates
2008-01-09 21:35:16 0 d-------- C:\Documents and Settings\LocalService\Templates
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\remoteservice\Start Menu
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\remoteservice\Favorites
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\remoteservice\Documents
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\remoteservice\Desktop
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\remoteservice\Application Data
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\LocalService\Favorites
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\LocalService\Documents
2008-01-09 21:35:15 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-01-09 21:34:08 0 d-------- C:\WINDOWS\system32\FLCSS.EXE
2008-01-09 21:02:03 0 d-------- C:\Documents and Settings\Kapil\Application Data\Lavasoft
2008-01-09 20:56:44 0 d-------- C:\Program Files\Lavasoft
2008-01-05 23:54:53 0 d--h----- C:\WINDOWS\PIF
2008-01-05 23:42:41 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-05 23:23:19 0 d-------- C:\Program Files\Google
2008-01-05 00:33:24 0 d-------- C:\WINDOWS\system32\Lang
2008-01-05 00:29:08 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-01-05 00:27:59 0 d-------- C:\WINDOWS\system32\RTCOM
2008-01-05 00:25:05 0 d---s---- C:\Documents and Settings\Kapil\UserData
2008-01-05 00:23:44 0 d-------- C:\Program Files\Realtek
2008-01-05 00:23:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-05 00:22:57 499712 -r------- C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-01-05 00:22:36 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-04 23:24:43 0 d--hs---- C:\Recycled
2008-01-04 23:07:40 0 d-------- C:\Documents and Settings\Kapil\Application Data\Symantec
2008-01-04 23:04:08 0 d-------- C:\Program Files\Norton AntiVirus
2008-01-04 23:03:54 0 d-------- C:\Program Files\Symantec
2008-01-04 23:03:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-04 23:03:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-04 22:59:46 0 d-------- C:\Documents and Settings\Kapil\Application Data\Identities
2008-01-04 22:59:37 0 d--h----- C:\Documents and Settings\Kapil\Templates
2008-01-04 22:59:37 0 d-------- C:\Documents and Settings\Kapil\Start Menu
2008-01-04 22:59:37 0 dr-h----- C:\Documents and Settings\Kapil\SendTo
2008-01-04 22:59:37 0 dr-h----- C:\Documents and Settings\Kapil\Recent
2008-01-04 22:59:37 0 d--h----- C:\Documents and Settings\Kapil\PrintHood
2008-01-04 22:59:37 1572864 --ah----- C:\Documents and Settings\Kapil\NTUSER.DAT
2008-01-04 22:59:37 0 d--h----- C:\Documents and Settings\Kapil\NetHood
2008-01-04 22:59:37 0 dr------- C:\Documents and Settings\Kapil\My Documents
2008-01-04 22:59:37 0 d--h----- C:\Documents and Settings\Kapil\Local Settings
2008-01-04 22:59:37 0 dr------- C:\Documents and Settings\Kapil\Favorites
2008-01-04 22:59:37 0 d-------- C:\Documents and Settings\Kapil\Desktop
2008-01-04 22:59:37 0 d---s---- C:\Documents and Settings\Kapil\Cookies
2008-01-04 22:59:37 0 d--h----- C:\Documents and Settings\Kapil\Application Data
2008-01-04 22:58:49 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-01-04 22:58:49 0 d--hs---- C:\System Volume Information
2008-01-04 22:58:48 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-01-04 22:58:47 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-01-04 22:58:47 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-01-04 22:58:47 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-01-04 22:58:47 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-01-04 22:58:47 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-01-04 22:58:34 237568 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-01-04 22:58:34 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-01-04 22:58:34 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-01-04 22:58:34 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-01-04 22:58:34 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-01-04 22:53:57 0 d-------- C:\WINDOWS\system32\xircom
2008-01-04 22:53:57 0 d-------- C:\Program Files\microsoft frontpage
2008-01-04 22:53:44 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-01-04 22:53:38 1056 --ahs---- C:\vaz4a2ma.sys
2008-01-04 22:53:38 0 -rahs---- C:\MSDOS.SYS
2008-01-04 22:53:38 0 -rahs---- C:\IO.SYS
2008-01-04 22:53:38 0 --a------ C:\CONFIG.SYS
2008-01-04 22:53:38 0 --a------ C:\AUTOEXEC.BAT
2008-01-04 22:52:36 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-01-04 22:52:26 0 dr------- C:\WINDOWS\Offline Web Pages
2008-01-04 22:52:26 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-01-04 22:51:57 0 d-------- C:\WINDOWS\system32\DirectX
2008-01-04 22:51:21 0 d---s---- C:\WINDOWS\Tasks
2008-01-04 22:51:20 0 d-------- C:\Program Files\Common Files\MSSoap
2008-01-04 22:51:17 0 d-------- C:\WINDOWS\srchasst
2008-01-04 22:51:16 0 d-------- C:\WINDOWS\system32\Macromed
2008-01-04 22:51:09 0 d-------- C:\Program Files\Movie Maker
2008-01-04 22:51:00 0 d-------- C:\WINDOWS\system32\Restore
2008-01-04 22:50:16 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-01-04 22:49:52 0 d-------- C:\WINDOWS\Registration
2008-01-04 22:49:44 0 d--h----- C:\Program Files\WindowsUpdate
2008-01-04 22:49:44 0 d-------- C:\Program Files\Online Services
2008-01-04 22:49:36 0 d-------- C:\Program Files\Messenger
2008-01-04 22:49:32 0 d-------- C:\Program Files\MSN Gaming Zone
2008-01-04 22:48:49 0 d-------- C:\Program Files\Windows NT
2008-01-04 22:48:44 0 d-------- C:\WINDOWS\system32\MsDtc
2008-01-04 22:48:41 0 d-------- C:\WINDOWS\system32\Com
2008-01-04 22:43:26 0 d--hs---- C:\WINDOWS\Installer
2008-01-04 22:43:25 0 d-------- C:\Program Files\Common Files\ODBC
2008-01-04 22:43:22 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-01-04 22:43:21 0 d-------- C:\Program Files
2008-01-04 22:43:21 0 d-------- C:\Program Files\Common Files
2008-01-04 22:42:57 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-01-04 22:42:57 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-01-04 22:42:57 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-01-04 22:42:57 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-01-04 22:42:57 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-01-04 22:42:57 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-01-04 22:42:57 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-01-04 22:42:57 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-01-04 22:42:57 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\All Users\Start Menu
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-01-04 22:42:57 0 dr------- C:\Documents and Settings\All Users\Documents
2008-01-04 22:42:57 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-01-04 22:42:45 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-01-04 22:42:45 0 d-------- C:\WINDOWS\system32\CatRoot
2008-01-04 22:42:40 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-01-04 22:42:40 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-01-04 22:42:39 0 d--h----- C:\Documents and Settings\All Users\Application Data
2008-01-04 22:42:39 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-01-04 22:42:14 0 d-------- C:\Documents and Settings
2008-01-04 22:35:40 0 d-------- C:\WINDOWS
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\WinSxS
2008-01-04 22:35:40 0 dr------- C:\WINDOWS\Web
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\twain_32
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\wins
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\wbem
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\usmt
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\spool
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\ShellExt
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\Setup
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\ras
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\oobe
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\npp
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\mui
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\inetsrv
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\IME
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\icsxml
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\ias
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\export
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\drivers
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-01-04 22:35:40 0 dr-hs---- C:\WINDOWS\system32\dllcache
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\dhcp
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\config
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\3076
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\2052
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1054
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1042
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1041
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1037
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1033
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1031
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1028
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system32\1025
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\system
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\security
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Resources
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\repair
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Provisioning
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\PeerNet
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\pchealth
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\mui
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\msapps
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\msagent
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Media
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\java
2008-01-04 22:35:40 0 d--h----- C:\WINDOWS\inf
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\ime
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Help
2008-01-04 22:35:40 0 dr--s---- C:\WINDOWS\Fonts
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Driver Cache
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Debug
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Cursors
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Connection Wizard
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\Config
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\AppPatch
2008-01-04 22:35:40 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-01-04 22:42:58 62 --ahs---- C:\Documents and Settings\Kapil\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel "= "SkyTel.EXE" [11/02/2006 02:06 PM C:\WINDOWS\SkyTel.exe]
"RTHDCPL "= "RTHDCPL.EXE" [11/02/2006 02:06 PM C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr "= "ALCMTR.EXE" [11/02/2006 02:06 PM C:\WINDOWS\ALCMTR.EXE]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/12/2006 02:25 AM]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [12/21/2004 12:11 AM]
"AGRSMMSG "= "AGRSMMSG.exe" [11/02/2006 02:06 PM C:\WINDOWS\AGRSMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [03/12/2004 02:29 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy "=0 (0x0)
"SynchronousUserGroupPolicy "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"DisableTaskMgr "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr "=0 (0x0)
"DisableRegistryTools "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions "=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions "=1 (0x1)

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-01-14 07:57:36 ------------

Thanks

 

Download ComboFix by sUBs from here, saving the file to your desktop.

It's best disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Here is the log of Combo Scan

ComboFix 08-01-15.4 - Kapil 2008-01-15 22:42:38.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.80 [GMT 5.5:30]
Running from: C:\Documents and Settings\Kapil\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\_svchost.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 22:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 23:10 . 2008-01-14 23:10 <DIR> d-------- C:\Program Files\Your Company Name
2008-01-14 23:10 . 2008-01-14 23:10 <DIR> d-------- C:\Program Files\McAfee
2008-01-14 23:10 . 2008-01-14 23:10 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2008-01-14 18:25 . 2008-01-14 18:25 <DIR> d-------- C:\Documents and Settings\Kapil\Application Data\Ahead
2008-01-14 18:15 . 2003-03-29 16:45 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-14 18:15 . 2003-07-22 16:29 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-01-14 18:14 . 2008-01-14 18:14 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-14 18:14 . 2008-01-14 18:14 <DIR> d-------- C:\Program Files\Ahead
2008-01-14 18:14 . 2001-07-06 14:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2008-01-14 18:14 . 2001-07-06 12:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-01-14 18:14 . 2001-07-06 18:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2008-01-14 18:14 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-14 18:14 . 2001-06-26 08:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-01-14 01:02 . 2008-01-14 01:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 01:02 . 2008-01-14 01:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 01:02 . 2008-01-14 01:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 01:02 . 2008-01-14 01:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-14 00:11 . 2008-01-14 00:11 6,144 --a------ C:\ie_updater.exe
2008-01-14 00:11 . 2008-01-14 00:11 6,144 --a------ C:\Documents and Settings\Kapil\ie_updates3r.exe
2008-01-14 00:11 . 0 C:\WINDOWS\system32\svchost.tmp
2008-01-13 14:56 . 2008-01-13 14:56 <DIR> d-------- C:\Program Files\TextPad 5
2008-01-13 14:56 . 2008-01-13 14:56 <DIR> d-------- C:\Documents and Settings\Kapil\Application Data\Helios
2008-01-13 14:23 . 2008-01-13 14:23 <DIR> d-------- C:\Program Files\WS_FTP
2008-01-13 13:49 . 2008-01-13 13:49 <DIR> d-------- C:\Deckard
2008-01-13 13:37 . 2006-11-02 14:06 1,161,152 -ra------ C:\WINDOWS\system32\drivers\AGRSM.sys
2008-01-13 13:37 . 2006-11-02 14:06 89,542 -ra------ C:\WINDOWS\AGRSMMSG.exe
2008-01-13 13:37 . 2006-11-02 14:06 68,608 -ra------ C:\WINDOWS\agrsmdel.exe
2008-01-13 00:26 . 2008-01-13 00:26 60 --a------ C:\WINDOWS\wininit.ini
2008-01-12 23:36 . 2008-01-12 23:36 <DIR> d-------- C:\Program Files\iolo
2008-01-12 23:36 . 2000-08-09 17:23 264,192 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-01-12 23:36 . 1999-11-18 12:04 25,600 --a------ C:\WINDOWS\Inetmib1.dll
2008-01-12 23:36 . 1999-11-18 12:04 22,528 --a------ C:\WINDOWS\Snmpapi.dll
2008-01-12 20:24 . 2008-01-14 00:10 28,672 --a------ C:\Documents and Settings\Kapil\xXx.exe
2008-01-12 20:13 . 2004-03-12 02:18 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-12 20:13 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-12 20:13 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-12 20:13 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-12 20:13 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-12 20:12 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-12 20:12 . 2004-03-12 00:14 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-01-12 20:12 . 2004-03-12 00:55 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2008-01-12 20:12 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-12 20:12 . 2004-03-12 00:14 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-01-12 20:12 . 2004-03-12 02:18 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2008-01-12 20:10 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-12 20:09 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-12 20:08 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-12 20:07 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-12 20:06 . 2004-03-12 02:18 4,256,640 --a------ C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-01-12 20:05 . 2004-03-12 02:18 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-01-12 20:04 . 2001-08-17 13:28 802,683 --a------ C:\WINDOWS\system32\dllcache\ltsm.sys
2008-01-12 20:03 . 2004-03-12 02:19 152,576 --a------ C:\WINDOWS\system32\dllcache\irftp.exe
2008-01-12 20:02 . 2004-03-12 02:17 702,845 --a------ C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-01-12 20:01 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-12 20:00 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-01-12 19:59 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-12 19:58 . 2001-08-17 12:13 980,034 --a------ C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-12 19:57 . 2004-03-12 02:18 1,052,608 --a------ C:\WINDOWS\system32\dllcache\ati3d2ag.dll
2008-01-12 19:56 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-12 19:55 . 2004-03-12 01:13 2,162,176 --a------ C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-12 19:55 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-12 19:36 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-12 19:36 . 2008-01-12 19:36 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-12 19:35 . 2008-01-12 19:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-12 19:34 . 2008-01-12 19:34 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-12 19:32 . 2008-01-12 19:32 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-09 23:04 . 2008-01-09 23:04 <DIR> d-------- C:\Program Files\Winamp
2008-01-09 23:04 . 2008-01-14 21:50 192 --a------ C:\WINDOWS\winamp.ini
2008-01-09 22:55 . 2008-01-09 22:55 <DIR> d-------- C:\Program Files\xmplayer
2008-01-09 22:55 . 1997-01-31 18:36 593,920 --a------ C:\WINDOWS\system32\rsagnt32.dll
2008-01-09 22:55 . 1996-05-22 15:57 31,744 --a------ C:\WINDOWS\system32\DDHELP.EXE
2008-01-09 22:55 . 1996-05-25 20:30 22,992 --a------ C:\WINDOWS\system\DDRAW16.DLL
2008-01-09 22:55 . 1996-10-08 13:38 17,920 --a------ C:\WINDOWS\rsdll.dll
2008-01-09 22:55 . 1997-01-27 16:58 15,012 --a------ C:\WINDOWS\rsagent.hlp
2008-01-09 21:39 . 2008-01-09 21:39 <DIR> d-------- C:\PUB
2008-01-09 21:35 . 2008-01-09 21:35 <DIR> d-------- C:\Documents and Settings\remoteservice\Documents
2008-01-09 21:35 . 2008-01-09 21:35 <DIR> d-------- C:\Documents and Settings\LocalService\Documents
2008-01-09 21:35 . 2008-01-09 21:35 82,032 --a------ C:\WINDOWS\winsbak2.reg
2008-01-09 21:35 . 2008-01-09 21:35 11,026 --a------ C:\WINDOWS\winsbak.reg
2008-01-09 21:34 . 2008-01-09 21:34 <DIR> d-------- C:\WINDOWS\system32\FLCSS.EXE
2008-01-09 21:02 . 2008-01-09 21:02 <DIR> d-------- C:\Documents and Settings\Kapil\Application Data\Lavasoft
2008-01-09 20:56 . 2008-01-09 20:56 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-05 23:54 . 2008-01-05 23:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-05 23:42 . 2008-01-05 23:42 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-05 23:23 . 2008-01-05 23:23 <DIR> d-------- C:\Program Files\Google
2008-01-05 00:33 . 2008-01-05 00:33 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-01-05 00:33 . 2008-01-05 00:33 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-05 00:33 . 2008-01-05 00:33 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-05 00:27 . 2008-01-05 00:28 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-01-05 00:27 . 2004-03-12 02:19 23,552 --------- C:\WINDOWS\system32\wdmaud.drv
2008-01-05 00:27 . 2004-03-12 02:19 23,552 --a------ C:\WINDOWS\system32\dllcache\wdmaud.drv
2008-01-05 00:25 . 2008-01-05 00:25 <DIR> d---s---- C:\Documents and Settings\Kapil\UserData
2008-01-05 00:24 . 2006-11-02 14:06 9,709,568 --a------ C:\WINDOWS\RTLCPL.EXE
2008-01-05 00:24 . 2006-11-02 14:06 4,387,328 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-05 00:24 . 2006-11-02 14:06 2,879,488 --a------ C:\WINDOWS\SkyTel.exe
2008-01-05 00:24 . 2006-11-02 14:06 1,183,744 --a------ C:\WINDOWS\RtlUpd.exe
2008-01-05 00:24 . 2006-11-02 14:06 282,624 --a------ C:\WINDOWS\system32\RTSndMgr.CPL
2008-01-05 00:24 . 2006-11-02 14:06 86,016 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-01-05 00:24 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 17:23 1,056 --sha-w C:\vaz4a2ma.sys
2008-01-04 17:23 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel "= "SkyTel.EXE" [2006-11-02 14:06 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-11-02 14:06 16267776 C:\WINDOWS\RTHDCPL.EXE]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2004-12-21 00:11 33792]
"AGRSMMSG "= "AGRSMMSG.exe" [2006-11-02 14:06 89542 C:\WINDOWS\AGRSMMSG.exe]
"NeroCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Alogserv "= "C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe" [2001-03-05 10:44 32785]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy "= 0 (0x0)
"SynchronousUserGroupPolicy "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions "= 1 (0x1)

R0 NaiFsRec;NaiFsRec;C:\WINDOWS\system32\drivers\NaiFsRec.sys [2000-12-20 05:15]
R2 AvSynMgr;AVSync Manager; "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" [2001-03-05 10:44]
R2 Microsoft Int Service;Microsoft Int Service;C:\WINDOWS\system32\_svchost.exe []

*Newly Created Service* - NAIFSREC
*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 22:43:14
Windows 5.1.2600 Service Pack 2, v.2096 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 22:43:28
ComboFix-quarantined-files.txt 2008-01-15 17:13:28

 

Here is the log of Combo scan

ComboFix 08-01-15.4 - Kapil 2008-01-15 22:42:38.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.80 [GMT 5.5:30]
Running from: C:\Documents and Settings\Kapil\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\_svchost.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 22:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 23:10 . 2008-01-14 23:10 <DIR> d-------- C:\Program Files\Your Company Name
2008-01-14 23:10 . 2008-01-14 23:10 <DIR> d-------- C:\Program Files\McAfee
2008-01-14 23:10 . 2008-01-14 23:10 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2008-01-14 18:25 . 2008-01-14 18:25 <DIR> d-------- C:\Documents and Settings\Kapil\Application Data\Ahead
2008-01-14 18:15 . 2003-03-29 16:45 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-14 18:15 . 2003-07-22 16:29 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-01-14 18:14 . 2008-01-14 18:14 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-14 18:14 . 2008-01-14 18:14 <DIR> d-------- C:\Program Files\Ahead
2008-01-14 18:14 . 2001-07-06 14:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2008-01-14 18:14 . 2001-07-06 12:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-01-14 18:14 . 2001-07-06 18:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2008-01-14 18:14 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-14 18:14 . 2001-06-26 08:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-01-14 01:02 . 2008-01-14 01:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 01:02 . 2008-01-14 01:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 01:02 . 2008-01-14 01:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 01:02 . 2008-01-14 01:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-14 00:11 . 2008-01-14 00:11 6,144 --a------ C:\ie_updater.exe
2008-01-14 00:11 . 2008-01-14 00:11 6,144 --a------ C:\Documents and Settings\Kapil\ie_updates3r.exe
2008-01-14 00:11 . 0 C:\WINDOWS\system32\svchost.tmp
2008-01-13 14:56 . 2008-01-13 14:56 <DIR> d-------- C:\Program Files\TextPad 5
2008-01-13 14:56 . 2008-01-13 14:56 <DIR> d-------- C:\Documents and Settings\Kapil\Application Data\Helios
2008-01-13 14:23 . 2008-01-13 14:23 <DIR> d-------- C:\Program Files\WS_FTP
2008-01-13 13:49 . 2008-01-13 13:49 <DIR> d-------- C:\Deckard
2008-01-13 13:37 . 2006-11-02 14:06 1,161,152 -ra------ C:\WINDOWS\system32\drivers\AGRSM.sys
2008-01-13 13:37 . 2006-11-02 14:06 89,542 -ra------ C:\WINDOWS\AGRSMMSG.exe
2008-01-13 13:37 . 2006-11-02 14:06 68,608 -ra------ C:\WINDOWS\agrsmdel.exe
2008-01-13 00:26 . 2008-01-13 00:26 60 --a------ C:\WINDOWS\wininit.ini
2008-01-12 23:36 . 2008-01-12 23:36 <DIR> d-------- C:\Program Files\iolo
2008-01-12 23:36 . 2000-08-09 17:23 264,192 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-01-12 23:36 . 1999-11-18 12:04 25,600 --a------ C:\WINDOWS\Inetmib1.dll
2008-01-12 23:36 . 1999-11-18 12:04 22,528 --a------ C:\WINDOWS\Snmpapi.dll
2008-01-12 20:24 . 2008-01-14 00:10 28,672 --a------ C:\Documents and Settings\Kapil\xXx.exe
2008-01-12 20:13 . 2004-03-12 02:18 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-12 20:13 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-12 20:13 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-12 20:13 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-12 20:13 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-12 20:12 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-12 20:12 . 2004-03-12 00:14 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-01-12 20:12 . 2004-03-12 00:55 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2008-01-12 20:12 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-12 20:12 . 2004-03-12 00:14 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-01-12 20:12 . 2004-03-12 02:18 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2008-01-12 20:10 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-12 20:09 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-12 20:08 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-12 20:07 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-12 20:06 . 2004-03-12 02:18 4,256,640 --a------ C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-01-12 20:05 . 2004-03-12 02:18 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-01-12 20:04 . 2001-08-17 13:28 802,683 --a------ C:\WINDOWS\system32\dllcache\ltsm.sys
2008-01-12 20:03 . 2004-03-12 02:19 152,576 --a------ C:\WINDOWS\system32\dllcache\irftp.exe
2008-01-12 20:02 . 2004-03-12 02:17 702,845 --a------ C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-01-12 20:01 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-12 20:00 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-01-12 19:59 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-12 19:58 . 2001-08-17 12:13 980,034 --a------ C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-12 19:57 . 2004-03-12 02:18 1,052,608 --a------ C:\WINDOWS\system32\dllcache\ati3d2ag.dll
2008-01-12 19:56 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-12 19:55 . 2004-03-12 01:13 2,162,176 --a------ C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-12 19:55 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-12 19:36 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-12 19:36 . 2008-01-12 19:36 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-12 19:35 . 2008-01-12 19:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-12 19:34 . 2008-01-12 19:34 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-12 19:32 . 2008-01-12 19:32 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-09 23:04 . 2008-01-09 23:04 <DIR> d-------- C:\Program Files\Winamp
2008-01-09 23:04 . 2008-01-14 21:50 192 --a------ C:\WINDOWS\winamp.ini
2008-01-09 22:55 . 2008-01-09 22:55 <DIR> d-------- C:\Program Files\xmplayer
2008-01-09 22:55 . 1997-01-31 18:36 593,920 --a------ C:\WINDOWS\system32\rsagnt32.dll
2008-01-09 22:55 . 1996-05-22 15:57 31,744 --a------ C:\WINDOWS\system32\DDHELP.EXE
2008-01-09 22:55 . 1996-05-25 20:30 22,992 --a------ C:\WINDOWS\system\DDRAW16.DLL
2008-01-09 22:55 . 1996-10-08 13:38 17,920 --a------ C:\WINDOWS\rsdll.dll
2008-01-09 22:55 . 1997-01-27 16:58 15,012 --a------ C:\WINDOWS\rsagent.hlp
2008-01-09 21:39 . 2008-01-09 21:39 <DIR> d-------- C:\PUB
2008-01-09 21:35 . 2008-01-09 21:35 <DIR> d-------- C:\Documents and Settings\remoteservice\Documents
2008-01-09 21:35 . 2008-01-09 21:35 <DIR> d-------- C:\Documents and Settings\LocalService\Documents
2008-01-09 21:35 . 2008-01-09 21:35 82,032 --a------ C:\WINDOWS\winsbak2.reg
2008-01-09 21:35 . 2008-01-09 21:35 11,026 --a------ C:\WINDOWS\winsbak.reg
2008-01-09 21:34 . 2008-01-09 21:34 <DIR> d-------- C:\WINDOWS\system32\FLCSS.EXE
2008-01-09 21:02 . 2008-01-09 21:02 <DIR> d-------- C:\Documents and Settings\Kapil\Application Data\Lavasoft
2008-01-09 20:56 . 2008-01-09 20:56 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-05 23:54 . 2008-01-05 23:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-05 23:42 . 2008-01-05 23:42 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-05 23:23 . 2008-01-05 23:23 <DIR> d-------- C:\Program Files\Google
2008-01-05 00:33 . 2008-01-05 00:33 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-01-05 00:33 . 2008-01-05 00:33 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-05 00:33 . 2008-01-05 00:33 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-05 00:27 . 2008-01-05 00:28 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-01-05 00:27 . 2004-03-12 02:19 23,552 --------- C:\WINDOWS\system32\wdmaud.drv
2008-01-05 00:27 . 2004-03-12 02:19 23,552 --a------ C:\WINDOWS\system32\dllcache\wdmaud.drv
2008-01-05 00:25 . 2008-01-05 00:25 <DIR> d---s---- C:\Documents and Settings\Kapil\UserData
2008-01-05 00:24 . 2006-11-02 14:06 9,709,568 --a------ C:\WINDOWS\RTLCPL.EXE
2008-01-05 00:24 . 2006-11-02 14:06 4,387,328 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-05 00:24 . 2006-11-02 14:06 2,879,488 --a------ C:\WINDOWS\SkyTel.exe
2008-01-05 00:24 . 2006-11-02 14:06 1,183,744 --a------ C:\WINDOWS\RtlUpd.exe
2008-01-05 00:24 . 2006-11-02 14:06 282,624 --a------ C:\WINDOWS\system32\RTSndMgr.CPL
2008-01-05 00:24 . 2006-11-02 14:06 86,016 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-01-05 00:24 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 17:23 1,056 --sha-w C:\vaz4a2ma.sys
2008-01-04 17:23 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel "= "SkyTel.EXE" [2006-11-02 14:06 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-11-02 14:06 16267776 C:\WINDOWS\RTHDCPL.EXE]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2004-12-21 00:11 33792]
"AGRSMMSG "= "AGRSMMSG.exe" [2006-11-02 14:06 89542 C:\WINDOWS\AGRSMMSG.exe]
"NeroCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Alogserv "= "C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe" [2001-03-05 10:44 32785]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy "= 0 (0x0)
"SynchronousUserGroupPolicy "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions "= 1 (0x1)

R0 NaiFsRec;NaiFsRec;C:\WINDOWS\system32\drivers\NaiFsRec.sys [2000-12-20 05:15]
R2 AvSynMgr;AVSync Manager; "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" [2001-03-05 10:44]
R2 Microsoft Int Service;Microsoft Int Service;C:\WINDOWS\system32\_svchost.exe []

*Newly Created Service* - NAIFSREC
*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 22:43:14
Windows 5.1.2600 Service Pack 2, v.2096 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 22:43:28
ComboFix-quarantined-files.txt 2008-01-15 17:13:28

 

Here is the new hijack scan file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:40 PM, on 1/15/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kapil\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Microsoft Int Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)

--
End of file - 2967 bytes

 

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\ie_updater.exe
C:\Documents and Settings\Kapil\ie_updates3r.exe
C:\Documents and Settings\Kapil\xXx.exe
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\winsbak2.reg
C:\WINDOWS\winsbak.reg
Folder::
C:\PUB
C:\Documents and Settings\remoteservice\Documents
C:\Documents and Settings\LocalService\Documents
C:\WINDOWS\system32\FLCSS.EXE
Driver::
Microsoft Int Service

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a new HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Here is the new report from Combo Fix

ComboFix 08-01-15.4 - Kapil 2008-01-16 22:59:37.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.61 [GMT 5.5:30]
Running from: C:\Documents and Settings\Kapil\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kapil\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Kapil\ie_updates3r.exe
C:\Documents and Settings\Kapil\xXx.exe
C:\ie_updater.exe
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\winsbak.reg
C:\WINDOWS\winsbak2.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kapil\ie_updates3r.exe
C:\Documents and Settings\Kapil\xXx.exe
C:\Documents and Settings\LocalService\Documents
C:\Documents and Settings\remoteservice\Documents
C:\ie_updater.exe
C:\PUB
C:\WINDOWS\system32\FLCSS.EXE
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\winsbak.reg
C:\WINDOWS\winsbak2.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MICROSOFT_INT_SERVICE
-------\Microsoft Int Service


((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 22:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 23:10 . 2008-01-14 23:10 <DIR> d-------- C:\Program Files\Your Company Name
2008-01-14 23:10 . 2008-01-14 23:10 <DIR> d-------- C:\Program Files\McAfee
2008-01-14 23:10 . 2008-01-14 23:10 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2008-01-14 18:25 . 2008-01-14 18:25 <DIR> d-------- C:\Documents and Settings\Kapil\Application Data\Ahead
2008-01-14 18:15 . 2003-03-29 16:45 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-14 18:15 . 2003-07-22 16:29 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-01-14 18:14 . 2008-01-14 18:14 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-14 18:14 . 2008-01-14 18:14 <DIR> d-------- C:\Program Files\Ahead
2008-01-14 18:14 . 2001-07-06 14:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2008-01-14 18:14 . 2001-07-06 12:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-01-14 18:14 . 2001-07-06 18:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2008-01-14 18:14 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-14 18:14 . 2001-06-26 08:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-01-14 01:02 . 2008-01-14 01:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 01:02 . 2008-01-14 01:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 01:02 . 2008-01-14 01:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 01:02 . 2008-01-14 01:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-13 14:56 . 2008-01-13 14:56 <DIR> d-------- C:\Program Files\TextPad 5
2008-01-13 14:56 . 2008-01-13 14:56 <DIR> d-------- C:\Documents and Settings\Kapil\Application Data\Helios
2008-01-13 14:23 . 2008-01-13 14:23 <DIR> d-------- C:\Program Files\WS_FTP
2008-01-13 13:49 . 2008-01-13 13:49 <DIR> d-------- C:\Deckard
2008-01-13 13:37 . 2006-11-02 14:06 1,161,152 -ra------ C:\WINDOWS\system32\drivers\AGRSM.sys
2008-01-13 13:37 . 2006-11-02 14:06 89,542 -ra------ C:\WINDOWS\AGRSMMSG.exe
2008-01-13 13:37 . 2006-11-02 14:06 68,608 -ra------ C:\WINDOWS\agrsmdel.exe
2008-01-13 00:26 . 2008-01-13 00:26 60 --a------ C:\WINDOWS\wininit.ini
2008-01-12 23:36 . 2008-01-12 23:36 <DIR> d-------- C:\Program Files\iolo
2008-01-12 23:36 . 2000-08-09 17:23 264,192 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-01-12 23:36 . 1999-11-18 12:04 25,600 --a------ C:\WINDOWS\Inetmib1.dll
2008-01-12 23:36 . 1999-11-18 12:04 22,528 --a------ C:\WINDOWS\Snmpapi.dll
2008-01-12 20:13 . 2004-03-12 02:18 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-12 20:13 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-12 20:13 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-12 20:13 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-12 20:13 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-12 20:12 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-12 20:12 . 2004-03-12 00:14 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-01-12 20:12 . 2004-03-12 00:55 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2008-01-12 20:12 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-12 20:12 . 2004-03-12 00:14 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-01-12 20:12 . 2004-03-12 02:18 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2008-01-12 20:10 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-12 20:09 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-12 20:08 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-12 20:07 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-12 20:06 . 2004-03-12 02:18 4,256,640 --a------ C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-01-12 20:05 . 2004-03-12 02:18 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-01-12 20:04 . 2001-08-17 13:28 802,683 --a------ C:\WINDOWS\system32\dllcache\ltsm.sys
2008-01-12 20:03 . 2004-03-12 02:19 152,576 --a------ C:\WINDOWS\system32\dllcache\irftp.exe
2008-01-12 20:02 . 2004-03-12 02:17 702,845 --a------ C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-01-12 20:01 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-12 20:00 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-01-12 19:59 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-12 19:58 . 2001-08-17 12:13 980,034 --a------ C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-12 19:57 . 2004-03-12 02:18 1,052,608 --a------ C:\WINDOWS\system32\dllcache\ati3d2ag.dll
2008-01-12 19:56 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-12 19:55 . 2004-03-12 01:13 2,162,176 --a------ C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-12 19:55 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-12 19:36 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-12 19:36 . 2008-01-12 19:36 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-12 19:35 . 2008-01-12 19:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-12 19:34 . 2008-01-12 19:34 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-12 19:32 . 2008-01-12 19:32 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-09 23:04 . 2008-01-09 23:04 <DIR> d-------- C:\Program Files\Winamp
2008-01-09 23:04 . 2008-01-14 21:50 192 --a------ C:\WINDOWS\winamp.ini
2008-01-09 22:55 . 2008-01-09 22:55 <DIR> d-------- C:\Program Files\xmplayer
2008-01-09 22:55 . 1997-01-31 18:36 593,920 --a------ C:\WINDOWS\system32\rsagnt32.dll
2008-01-09 22:55 . 1996-05-22 15:57 31,744 --a------ C:\WINDOWS\system32\DDHELP.EXE
2008-01-09 22:55 . 1996-05-25 20:30 22,992 --a------ C:\WINDOWS\system\DDRAW16.DLL
2008-01-09 22:55 . 1996-10-08 13:38 17,920 --a------ C:\WINDOWS\rsdll.dll
2008-01-09 22:55 . 1997-01-27 16:58 15,012 --a------ C:\WINDOWS\rsagent.hlp
2008-01-09 21:02 . 2008-01-09 21:02 <DIR> d-------- C:\Documents and Settings\Kapil\Application Data\Lavasoft
2008-01-09 20:56 . 2008-01-09 20:56 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-05 23:54 . 2008-01-05 23:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-05 23:42 . 2008-01-05 23:42 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-05 23:23 . 2008-01-05 23:23 <DIR> d-------- C:\Program Files\Google
2008-01-05 00:33 . 2008-01-05 00:33 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-01-05 00:33 . 2008-01-05 00:33 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-05 00:33 . 2008-01-05 00:33 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-05 00:27 . 2008-01-05 00:28 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-01-05 00:27 . 2004-03-12 02:19 23,552 --------- C:\WINDOWS\system32\wdmaud.drv
2008-01-05 00:27 . 2004-03-12 02:19 23,552 --a------ C:\WINDOWS\system32\dllcache\wdmaud.drv
2008-01-05 00:25 . 2008-01-05 00:25 <DIR> d---s---- C:\Documents and Settings\Kapil\UserData
2008-01-05 00:24 . 2006-11-02 14:06 9,709,568 --a------ C:\WINDOWS\RTLCPL.EXE
2008-01-05 00:24 . 2006-11-02 14:06 4,387,328 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-05 00:24 . 2006-11-02 14:06 2,879,488 --a------ C:\WINDOWS\SkyTel.exe
2008-01-05 00:24 . 2006-11-02 14:06 1,183,744 --a------ C:\WINDOWS\RtlUpd.exe
2008-01-05 00:24 . 2006-11-02 14:06 282,624 --a------ C:\WINDOWS\system32\RTSndMgr.CPL
2008-01-05 00:24 . 2006-11-02 14:06 86,016 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-01-05 00:24 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-05 00:23 . 2008-01-05 00:23 <DIR> d-------- C:\Program Files\Realtek
2008-01-05 00:23 . 2008-01-05 00:23 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-01-05 00:23 . 2006-11-02 14:06 16,267,776 --a------ C:\WINDOWS\RTHDCPL.EXE
2008-01-05 00:23 . 2006-11-02 14:06 2,808,832 --a------ C:\WINDOWS\ALCWZRD.EXE
2008-01-05 00:23 . 2006-11-02 14:06 2,157,568 --a------ C:\WINDOWS\MicCal.exe
2008-01-05 00:23 . 2006-11-02 14:06 299,008 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL
2008-01-05 00:23 . 2006-11-02 14:06 69,632 --a------ C:\WINDOWS\ALCMTR.EXE
2008-01-05 00:22 . 2008-01-05 00:22 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-01-05 00:22 . 2006-11-02 14:06 499,712 -r------- C:\WINDOWS\RtlExUpd.dll
2008-01-04 23:24 . 2008-01-04 23:24 <DIR> d--hs---- C:\Recycled

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 17:23 1,056 --sha-w C:\vaz4a2ma.sys
2008-01-04 17:23 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-01-15_22.43.17.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-15 17:12:32 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-16 17:29:18 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 17:12:34 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-16 17:29:18 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 17:12:34 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-16 17:29:18 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 17:12:34 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-16 17:29:18 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 17:12:34 1,368,064 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-16 17:29:20 1,368,064 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-15 17:12:34 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-16 17:29:20 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 02:30:00 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-01-15 16:59:04 40,394 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-16 16:59:38 40,394 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-15 16:59:04 312,172 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-16 16:59:38 312,172 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel "= "SkyTel.EXE" [2006-11-02 14:06 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-11-02 14:06 16267776 C:\WINDOWS\RTHDCPL.EXE]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2004-12-21 00:11 33792]
"AGRSMMSG "= "AGRSMMSG.exe" [2006-11-02 14:06 89542 C:\WINDOWS\AGRSMMSG.exe]
"NeroCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Alogserv "= "C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe" [2001-03-05 10:44 32785]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy "= 0 (0x0)
"SynchronousUserGroupPolicy "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions "= 1 (0x1)

R0 NaiFsRec;NaiFsRec;C:\WINDOWS\system32\drivers\NaiFsRec.sys [2000-12-20 05:15]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 23:02:30
Windows 5.1.2600 Service Pack 2, v.2096 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 23:02:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 17:32:48
ComboFix2.txt 2008-01-15 17:13:30

 

Here is the new Hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:56 PM, on 1/16/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Documents and Settings\Kapil\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 2950 bytes

 

Looking much better.

Did you install microsoft frontpage?
Please copy the bolded command below, then click Start>Run and type cmd, hit Enter to open a command window.

attrib -h -s -r C:\vaz4a2ma.sys

Right click in the command window and paste the copied command, then hit enter.

Now, please go to my submission channel and upload the following files so that I can analyze them. Leave a link to this topic.

C:\vaz4a2ma.sys
C:\WINDOWS\wininit.ini


Things seem to be working OK?

 

Hi there

Things seem right to me too but still fear of something erupting again. I mean is my system fully cleaned now.

1) Na i didnt install Frontpage.
2) I did as required and sent both the files C:\vaz4a2ma.sys
C:\WINDOWS\wininit.ini to u.

Thanks

 

I didn't think you had installed frontpage. Lets nuke a couple of other things. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\vaz4a2ma.sys
C:\WINDOWS\wininit.ini
Folder::
C:\Program Files\microsoft frontpage

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


After you've posted the log, please do an online scan with Kaspersky WebScanner

http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html (link for US and others not listed below)
http://www.kaspersky.com.au/online-scanner/# (Australian link)
http://www.kaspersky.co.uk/virusscanner (UK link)


You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

 

Sorry man I was fed up with things as something changed my desktop background and I installed a new copy of windows by formatting my system. I managed to back up all my data and everything looks fine. Lets hope it goes fine or i ll be back to u for help.

Anyways I m very helpfull to u for ur help. Thanks a Lot

Kapil

 

Thanks for the followup Kapil.