News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
May 21, 2013, 05:43:21
linktree cexx.org - Support Forums  >  Spyware-Related Stuff  >  Spyware - General
linktree Topic: AV Security Syware - kindly help
Pages: 1 [2]   Go Down
« previous next »
  Print  
Topic: AV Security Syware - kindly help  (Read 2959 times)
0 Members and 1 Guest are viewing this topic.
« Reply #15 on: November 27, 2011, 10:40:45 »
trouble Offline
Jr. Member

 **

Karma: 0
Posts: 52
Combo fix

ComboFix 11-11-27.02 - Kaustubh Borah 11/27/2011  12:29:38.10.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.614 [GMT -6:00]
Running from: c:\documents and settings\Kaustubh Borah\Desktop\username123.exe.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Kaustubh Borah\Local Settings\Application Data\pay.exe
c:\documents and settings\Kaustubh Borah\Start Menu\Programs\AV Protection 2011
c:\documents and settings\Kaustubh Borah\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2011-10-27 to 2011-11-27  )))))))))))))))))))))))))))))))
.
.
2011-11-23 06:12 . 2011-11-23 06:12   --------   d-----w-   c:\documents and settings\Kaustubh Borah\Application Data\LtxP0ucS2b3n5Q
2011-11-23 06:12 . 2011-11-23 06:12   --------   d-----w-   c:\documents and settings\Kaustubh Borah\Application Data\vJ7dEL8gRqYwUrO
2011-11-23 05:30 . 2011-11-23 06:49   --------   d-----w-   c:\program files\E5491
2011-11-23 05:29 . 2011-11-23 05:51   --------   d-----w-   c:\documents and settings\Kaustubh Borah\Application Data\A09E5
2011-11-23 05:29 . 2011-11-23 05:29   --------   d-----w-   c:\documents and settings\Kaustubh Borah\Application Data\xEEL88gTZqh
2011-11-23 05:29 . 2011-11-23 05:29   --------   d-----w-   c:\documents and settings\Kaustubh Borah\Application Data\puuvD22on4pHsW7
2011-11-23 05:29 . 2011-11-23 05:29   --------   d-----w-   c:\documents and settings\Kaustubh Borah\Application Data\kiibbF33pn5aQ6W
2011-11-23 05:29 . 2011-11-23 05:29   --------   d-----w-   c:\documents and settings\Kaustubh Borah\Application Data\ITXXqjjUC
2011-11-17 01:10 . 2011-11-17 01:10   388096   ----a-r-   c:\documents and settings\Kaustubh Borah\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-17 01:10 . 2011-11-17 01:10   --------   d-----w-   c:\program files\Trend Micro
2011-11-15 00:22 . 2011-11-15 00:22   --------   d-----w-   c:\documents and settings\Kaustubh Borah\Application Data\U3
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-25 23:22 . 2011-06-11 04:23   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-31 23:00 . 2011-06-10 23:39   22216   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-11-09 03:42 . 2011-06-11 04:27   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-11-16_03.32.30   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-27 18:24 . 2011-11-27 18:24   16384              c:\windows\temp\Perflib_Perfdata_138.dat
+ 2004-08-04 10:00 . 2011-11-27 18:29   41238              c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2011-11-16 03:29   41238              c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2011-11-27 18:29   315076              c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2011-11-16 03:29   315076              c:\windows\system32\perfh009.dat
+ 2011-11-27 01:18 . 2011-11-27 01:18   333824              c:\windows\Installer\2047d0.msi
+ 2011-11-17 01:10 . 2011-11-17 01:10   1094656              c:\windows\Installer\1bce5.msi
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-08-26 17361032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-06-15 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-06-10 23:16   13672   ----a-w-   c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Kaustubh Borah\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Kaustubh Borah\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
.
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-562591055-839522115-1003Core.job
- c:\documents and settings\Kaustubh Borah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-08 15:55]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-562591055-839522115-1003UA.job
- c:\documents and settings\Kaustubh Borah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-08 15:55]
.
2011-11-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-484763869-562591055-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-11-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-484763869-562591055-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Kaustubh Borah\Application Data\Mozilla\Firefox\Profiles\o0du32ef.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-27 12:32
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(908)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2011-11-27  12:33:21
ComboFix-quarantined-files.txt  2011-11-27 18:33
ComboFix2.txt  2011-11-23 06:28
ComboFix3.txt  2011-11-22 20:01
ComboFix4.txt  2011-11-20 17:41
ComboFix5.txt  2011-11-27 18:28
.
Pre-Run: 33,370,329,088 bytes free
Post-Run: 33,412,497,408 bytes free
.
- - End Of File - - D0FB49A75658707133030B8877481FDD


Hijack this

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:38:59 PM, on 11/27/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (file missing)

--
End of file - 6456 bytes
Logged
« Reply #16 on: November 27, 2011, 10:50:04 »
trouble Offline
Jr. Member

 **

Karma: 0
Posts: 52
That went quickly:

The options I selected:

Processes - Safe list
Modules - No Company Name
Services- Safe list
Drivers - Safe list
Registry - Safe list
Files Created Within - File Age
Files Modified Within - File Age
Check - Scan All Users, NO Name, Safe list

Results

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:38:59 PM, on 11/27/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (file missing)

--
End of file - 6456 bytes

 
Logged
« Reply #17 on: November 28, 2011, 02:37:17 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
is this the same computer that we are working on here or is it a different one
http://boards.cexx.org/index.php?topic=19063.0
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #18 on: November 28, 2011, 08:31:57 »
trouble Offline
Jr. Member

 **

Karma: 0
Posts: 52
The Same.
Logged
« Reply #19 on: November 29, 2011, 13:11:51 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
I have merged them both together, stay in this topic until fixed, don't start new ones or it causes confusion



Download the attached CFScript.txt  and save it to your  desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop  in the list of selections in that window & press save)

Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished

Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe  or renamed combofix icon as shown in the screenshot below.

 



 

This will start ComboFix again.  It may ask to reboot.  Post the contents of Combofix.txt in your next reply .


Note: these instructions and script were created specifically for this user.  If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #20 on: November 29, 2011, 20:50:26 »
trouble Offline
Jr. Member

 **

Karma: 0
Posts: 52
ComboFix 11-11-29.04 - Kaustubh Borah 11/29/2011  20:49:01.11.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.660 [GMT -6:00]
Running from: c:\documents and settings\Kaustubh Borah\Desktop\username123.exe.exe
Command switches used :: c:\documents and settings\Kaustubh Borah\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Kaustubh Borah\Application Data\A09E5
c:\documents and settings\Kaustubh Borah\Application Data\A09E5\5491.09E
c:\documents and settings\Kaustubh Borah\Application Data\ITXXqjjUC
c:\documents and settings\Kaustubh Borah\Application Data\kiibbF33pn5aQ6W
c:\documents and settings\Kaustubh Borah\Application Data\LtxP0ucS2b3n5Q
c:\documents and settings\Kaustubh Borah\Application Data\LtxP0ucS2b3n5Q\AV Protection 2011.ico
c:\documents and settings\Kaustubh Borah\Application Data\puuvD22on4pHsW7
c:\documents and settings\Kaustubh Borah\Application Data\vJ7dEL8gRqYwUrO
c:\documents and settings\Kaustubh Borah\Application Data\xEEL88gTZqh
c:\documents and settings\Kaustubh Borah\Application Data\xEEL88gTZqh\AV Protection 2011.ico
c:\program files\E5491
.
.
(((((((((((((((((((((((((   Files Created from 2011-10-28 to 2011-11-30  )))))))))))))))))))))))))))))))
.
.
2011-11-17 01:10 . 2011-11-17 01:10   388096   ----a-r-   c:\documents and settings\Kaustubh Borah\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-17 01:10 . 2011-11-17 01:10   --------   d-----w-   c:\program files\Trend Micro
2011-11-15 00:22 . 2011-11-15 00:22   --------   d-----w-   c:\documents and settings\Kaustubh Borah\Application Data\U3
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-25 23:22 . 2011-06-11 04:23   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-09 03:42 . 2011-06-11 04:27   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-11-16_03.32.30   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-28 23:37 . 2011-11-28 23:37   16384              c:\windows\temp\Perflib_Perfdata_138.dat
+ 2004-08-04 10:00 . 2011-11-29 23:34   41238              c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2011-11-16 03:29   41238              c:\windows\system32\perfc009.dat
+ 2011-06-10 23:39 . 2011-08-31 23:00   22216              c:\windows\system32\drivers\mbam.sys
+ 2004-08-04 10:00 . 2011-11-29 23:34   315076              c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2011-11-16 03:29   315076              c:\windows\system32\perfh009.dat
+ 2011-11-27 01:18 . 2011-11-27 01:18   333824              c:\windows\Installer\2047d0.msi
+ 2011-11-17 01:10 . 2011-11-17 01:10   1094656              c:\windows\Installer\1bce5.msi
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-08-26 17361032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-06-15 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-06-10 23:16   13672   ----a-w-   c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Kaustubh Borah\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Kaustubh Borah\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-562591055-839522115-1003Core.job
- c:\documents and settings\Kaustubh Borah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-08 15:55]
.
2011-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-562591055-839522115-1003UA.job
- c:\documents and settings\Kaustubh Borah\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-08 15:55]
.
2011-11-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-484763869-562591055-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-11-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-484763869-562591055-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Kaustubh Borah\Application Data\Mozilla\Firefox\Profiles\o0du32ef.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-29 20:52
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(912)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2011-11-29  20:53:58
ComboFix-quarantined-files.txt  2011-11-30 02:53
ComboFix2.txt  2011-11-27 18:33
ComboFix3.txt  2011-11-23 06:28
ComboFix4.txt  2011-11-22 20:01
ComboFix5.txt  2011-11-30 02:48
.
Pre-Run: 33,056,542,720 bytes free
Post-Run: 33,045,729,280 bytes free
.
- - End Of File - - 83479312F8F766D4516A53277735DD0E
Logged
« Reply #21 on: November 30, 2011, 02:22:04 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
how is it now

next run this
http://www.malwarecity.com/blog/new-removal-tools-for-the-tdss-family-of-crimeware-1221.html
you want the 32 bit version for your computer

let me know what it finds ( if anything )
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
 
Pages: 1 [2]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Page created in 1.189 seconds with 20 queries.