Coolpics.net problem... Please help

Discussion in 'malware problems & news' started by pradman, May 17, 2007.

Thread Status:
Not open for further replies.
  1. pradman

    pradman Registered Member

    Joined:
    May 17, 2007
    Posts:
    6
    Tech Gurus...

    I am facing a lot of problems in my system because of this coolpics.net malware. It has screwed up my system. I am not able to run any commands using Start->Run, my Firefox gets uninstalled and my IE homepage is always coolpics.net. Above all, even my task manager does not work. Please help.
     
  2. pradman

    pradman Registered Member

    Joined:
    May 17, 2007
    Posts:
    6
    I noticed that there is another thread in this forum about the same issue. I decided to follow the same instructions and get the Combofix Logs. Please ignore it if it is irrelevant. Also as mentioned in the other thread, I installed BFU and ran the coolpics remover but to no avail

    Really appreciate your help on this.




    "Pradip sundaram" - 2007-05-17 23:33:24 Service Pack 2
    ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Pradip sundaram\Desktop\"


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\msconfig.exe
    C:\WINDOWS\lsass.exe


    ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-17 ))))))))))))))))))))))))))))))))))


    2007-05-16 23:17 <DIR> d-------- C:\BFU
    2007-05-15 23:18 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-05-15 13:54 107,520 -rahs---- C:\WINDOWS\system\lsass.exe
    2007-05-15 13:54 107,520 --------- C:\New Folder.exe
    2007-05-11 16:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2007-04-25 23:36 <DIR> d-------- C:\DOCUME~1\Deeptha\APPLIC~1\Talkback


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-05-16 18:03:23 12 ----a-w C:\WINDOWS\bthservsdp.dat
    2007-05-15 11:04:24 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-05-15 09:42:29 -------- d-----w C:\Program Files\Symantec
    2007-05-05 08:36:47 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\OpenOffice.org2
    2007-04-22 15:49:01 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\Skype
    2007-04-14 14:34:09 -------- d-----w C:\Program Files\SimpleOCR
    2007-04-14 14:28:48 -------- d-----w C:\Program Files\ReaSoft
    2007-04-14 14:28:48 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\ReaSoft
    2007-04-14 13:14:07 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\Talkback
    2007-03-29 14:33:48 -------- d-----w C:\Program Files\iTunes
    2007-03-29 14:33:35 -------- d-----w C:\Program Files\iPod
    2007-03-29 14:31:19 -------- d-----w C:\Program Files\QuickTime
    2007-03-29 14:29:05 -------- d-----w C:\Program Files\Apple Software Update
    2007-03-28 13:11:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
    2007-03-28 13:11:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
    2007-03-28 13:11:26 266,552 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
    2007-03-28 13:11:24 18,904 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
    2007-03-28 13:11:20 37,016 ----a-w C:\WINDOWS\system32\drivers\symids.sys
    2007-03-28 13:11:18 47,192 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
    2007-03-28 13:11:14 171,928 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
    2007-03-28 13:11:12 11,480 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
    2007-03-24 06:02:54 -------- d-----w C:\Program Files\Windows Media Connect 2


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 03:47]
    {47D5A45E-6B1A-11D7-BA96-000021F32E38}=C:\WINDOWS\Sify\COMPON~1\IEINTE~1.DLL [2003-10-17 16:06]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
    {BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-01-10 12:20]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
    "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
    "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
    "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
    "Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
    "DSLAGENTEXE"="C:\\Program Files\\Huawei\\MT882\\dslagent.exe"
    "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "HostManager"="C:\\Program Files\\Common Files\\AOL\\1131371244\\ee\\AOLHostManager.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
    "BigDog305"="C:\\WINDOWS\\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)"
    "googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-18 02:18]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-18 02:13]
    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 11:35]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 14:31]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 21:55]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 21:54]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
    "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-18 05:49]
    "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-14 07:04]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:30 C:\WINDOWS\system32\bthprops.cpl])
    "DSLAGENTEXE"="C:\Program Files\Huawei\MT882\dslagent.exe" [2003-10-31 15:26]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-15 15:12]
    "HostManager"="C:\Program Files\Common Files\AOL\1131371244\ee\AOLHostManager.exe" [2005-08-03 01:03]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-10 04:46]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-07 18:30]
    "BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 15:15]
    "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 08:36]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\Awasu]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "RunNarrator"="Narrator.exe"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=dword:00000001
    "DisableTaskMgr"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoCDBurning"=dword:00000000
    "NoFolderOptions"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions"=dword:00000001
    "NoRun"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages msv1_0\0\0
    Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages scecli\0\0


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter HTTPFilter\0\0
    LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService DnsCache\0\0
    DcomLaunch DcomLaunch\0TermService\0\0
    rpcss RpcSs\0\0
    imgsvc StiSvc\0\0
    termsvcs TermService\0\0
    bthsvcs BthServ\0\0
    WudfServiceGroup WUDFSvc\0\0

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Pradip sundaram.job
    C:\WINDOWS\tasks\Symantec NetDetect.job

    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-05-17 23:36:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exeo_Oo_O??9?0?0?0o_Oo_O? o_OBo_Oo_Oo_Oo_O?H<C? o_Oo_O
    BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)o_Oo_Oo_Oo_Oo_Oo_O?0o_Oo_Oo_O@o_Oo_Oo_Oo_O??

    scanning hidden files ...

    C:\system.sav\CTO.TXT 4096 bytes
    C:\system.sav\CTOHW.TXT 16 bytes
    C:\system.sav\DAYLGSAV.reg 320 bytes
    C:\system.sav\delink.log 104 bytes
    C:\system.sav\highgost.flg 32 bytes
    C:\system.sav\info.bom 8192 bytes
    C:\system.sav\INFO.US 4096 bytes
    C:\system.sav\ISLOGCHK.LOG 4096 bytes
    C:\system.sav\logoff.bat 112 bytes
    C:\system.sav\logoff.reg 288 bytes
    C:\system.sav\Logs
    C:\system.sav\Logs\Cia.ini 32768 bytes
    C:\system.sav\Logs\Info.bom 8192 bytes
    C:\system.sav\Logs\Install.log 126976 bytes
    C:\system.sav\Logs\Preinchk.log 4096 bytes
    C:\system.sav\Logs\Sysinfo.log 102400 bytes
    C:\system.sav\mszone.log 4096 bytes
    C:\system.sav\PREINCHK.log 4096 bytes
    C:\system.sav\REBOOT.ME 48 bytes
    C:\system.sav\REGDEV.LOG 40 bytes
    C:\system.sav\REGFLUSH.LOG 4096 bytes
    C:\system.sav\RegionCF
    C:\system.sav\RegionCF\euro.reg 216 bytes
    C:\system.sav\RegionCF\SFr.reg 232 bytes
    C:\system.sav\RmDev.log 4096 bytes
    C:\system.sav\SYSINFO.LOG 102400 bytes
    C:\system.sav\util
    C:\system.sav\util\AppEvBk1.old 12288 bytes
    C:\system.sav\util\bcr.cmd 232 bytes
    C:\system.sav\util\bootldr.flg 0 bytes
    C:\system.sav\util\BOOTSEC.NT4 512 bytes
    C:\system.sav\util\brand.exe 57344 bytes
    C:\system.sav\util\BrandIt.Log 4096 bytes
    C:\system.sav\util\BRAND_2.FLG 16 bytes
    C:\system.sav\util\CHKIMAGE.exe 86016 bytes
    C:\system.sav\util\CIA.CDC 28672 bytes
    C:\system.sav\util\CIA.INI 32768 bytes
    C:\system.sav\util\CLEARTYP.REG 496 bytes
    C:\system.sav\util\CMDOOBE.CMD 72 bytes
    C:\system.sav\util\CMDSWSET.CMD 64 bytes
    C:\system.sav\util\cpqci.dll 73728 bytes
    C:\system.sav\util\cpqsm.exe 53248 bytes
    C:\system.sav\util\cvacompg.exe 77824 bytes
    C:\system.sav\util\cvacompg.tmp 168 bytes
    C:\system.sav\util\delcia.flg 32 bytes
    C:\system.sav\util\DelDir.exe 20480 bytes
    C:\system.sav\util\delmodem.bat 128 bytes
    C:\system.sav\util\delmodem.ini 184 bytes
    C:\system.sav\util\DelWLAN.reg 320 bytes
    C:\system.sav\util\DETECTOS.EXE 65536 bytes
    C:\system.sav\util\DETECTOS.INI 408 bytes
    C:\system.sav\util\dmiuia.cmd 136 bytes
    C:\system.sav\util\DNSP1.LOG 4096 bytes
    C:\system.sav\util\DQM_MRK.exe 176128 bytes
    C:\system.sav\util\EISDTICON.log 32 bytes
    C:\system.sav\util\EISFE.log 32 bytes
    C:\system.sav\util\FB_EIS.log 32 bytes
    C:\system.sav\util\hpqnt.dll 53248 bytes
    C:\system.sav\util\infobomg.exe 57344 bytes
    C:\system.sav\util\INSTALL.LOG 126976 bytes
    C:\system.sav\util\ISLOGCHK.EXE 73728 bytes
    C:\system.sav\util\ISLOGCHK.INI 4096 bytes
    C:\system.sav\util\make_rtr.flg 136 bytes
    C:\system.sav\util\mobproc.flg 136 bytes
    C:\system.sav\util\oobe.min 144 bytes
    C:\system.sav\util\oobe.wpe 4096 bytes
    C:\system.sav\util\osexclude.txt 176 bytes
    C:\system.sav\util\PININST.INI 120 bytes
    C:\system.sav\util\PININST.LOG 168 bytes
    C:\system.sav\util\POSTOOBE.CMD 4096 bytes
    C:\system.sav\util\POSTOOBE.LOG 24 bytes
    C:\system.sav\util\postproc.ini 552 bytes
    C:\system.sav\util\powerset.log 88 bytes
    C:\system.sav\util\PREINCHK.BAT 216 bytes
    C:\system.sav\util\PREINFO.INI 168 bytes
    C:\system.sav\util\PREINFO2.EXE 69632 bytes
    C:\system.sav\util\qlb.log 176 bytes
    C:\system.sav\util\random.ini 40 bytes
    C:\system.sav\util\REGDEV.EXE 73728 bytes
    C:\system.sav\util\REGDEV.INI 560 bytes
    C:\system.sav\util\RMDEV.CMD 512 bytes
    C:\system.sav\util\RMIRDEV.CMD 112 bytes
    C:\system.sav\util\RunCType.REG 392 bytes
    C:\system.sav\util\SecEvBk1.old 24576 bytes
    C:\system.sav\util\sedinst.log 168 bytes
    C:\system.sav\util\SWSETDIR.exe 77824 bytes
    C:\system.sav\util\SWSETUP.BTO 424 bytes
    C:\system.sav\util\SWSETUP.CMD 136 bytes
    C:\system.sav\util\SWSET_B.INI 4096 bytes
    C:\system.sav\util\SysEvBk1.old 12288 bytes
    C:\system.sav\util\touchpad.log 192 bytes
    C:\system.sav\util\uiadump32.exe 16384 bytes
    C:\system.sav\util\uiautil.exe 32768 bytes
    C:\system.sav\util\WINDVD.LOG 168 bytes
    C:\system.sav\util\WMI.BAT 48 bytes

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 95


    ********************************************************************

    Completion time: 2007-05-17 23:37:06
    C:\ComboFix-quarantined-files.txt ... 2007-05-17 23:37
    C:\ComboFix2.txt ... 2007-05-15 23:18
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    When you say "to no avail" how do you mean that exactly.

    I see no remaining startup for coolpics, but the disabled Registry Tools Taskmanager and Run box are still there.

    Please follow these instructions:
    Download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C: ) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Coolpics Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select coolpics.bfu
    • Put a checkmark in the "Show log after script ends"
    • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Post the BFU log.
    • Press exit to terminate the BFU program.
    Reboot your computer and post a new Combofix log.[/QUOTE]
     
  4. pradman

    pradman Registered Member

    Joined:
    May 17, 2007
    Posts:
    6
    By no avail, what I meant was that though I ran BFU, the coolpics.net is still my IE home page, I am not able Start->Run, or view task manager.

    Here are the BFU logs... I'll reboot and post the Combofix logs. Thanks for such immediate help

    BFU v1.00.9
    Windows XP SP2 (WinNT 5.01.2600 SP2)
    Script started at 12:01:28 AM, on 5/18/2007

    Failed: FileDelete C:\DOCUME~1\PRADIP~1\LOCALS~1\Temp\~DFE488.tmp (operation failed)
    Failed: FileDelete C:\DOCUME~1\PRADIP~1\LOCALS~1\Temp\~DFFB5A.tmp (operation failed)
    Script completed.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Looks good sofar. I'll be back later to check on the combofix log.

    Regards,

    Pieter
     
  6. pradman

    pradman Registered Member

    Joined:
    May 17, 2007
    Posts:
    6
    The problem still exists :(

    Here are the combofix logs...

    "Pradip sundaram" - 2007-05-18 0:10:24 Service Pack 2
    ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Pradip sundaram\Desktop\"


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\msconfig.exe
    C:\WINDOWS\lsass.exe


    ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-18 ))))))))))))))))))))))))))))))))))


    2007-05-17 23:58 <DIR> d-------- C:\BFU
    2007-05-15 23:18 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-05-15 13:54 107,520 -rahs---- C:\WINDOWS\system\lsass.exe
    2007-05-15 13:54 107,520 --------- C:\New Folder.exe
    2007-05-11 16:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2007-04-25 23:36 <DIR> d-------- C:\DOCUME~1\Deeptha\APPLIC~1\Talkback


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-05-17 18:35:05 12 ----a-w C:\WINDOWS\bthservsdp.dat
    2007-05-17 18:27:39 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-05-15 09:42:29 -------- d-----w C:\Program Files\Symantec
    2007-05-05 08:36:47 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\OpenOffice.org2
    2007-04-22 15:49:01 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\Skype
    2007-04-14 14:34:09 -------- d-----w C:\Program Files\SimpleOCR
    2007-04-14 14:28:48 -------- d-----w C:\Program Files\ReaSoft
    2007-04-14 14:28:48 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\ReaSoft
    2007-04-14 13:14:07 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\Talkback
    2007-03-29 14:33:48 -------- d-----w C:\Program Files\iTunes
    2007-03-29 14:33:35 -------- d-----w C:\Program Files\iPod
    2007-03-29 14:31:19 -------- d-----w C:\Program Files\QuickTime
    2007-03-29 14:29:05 -------- d-----w C:\Program Files\Apple Software Update
    2007-03-28 13:11:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
    2007-03-28 13:11:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
    2007-03-28 13:11:26 266,552 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
    2007-03-28 13:11:24 18,904 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
    2007-03-28 13:11:20 37,016 ----a-w C:\WINDOWS\system32\drivers\symids.sys
    2007-03-28 13:11:18 47,192 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
    2007-03-28 13:11:14 171,928 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
    2007-03-28 13:11:12 11,480 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
    2007-03-24 06:02:54 -------- d-----w C:\Program Files\Windows Media Connect 2


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 03:47]
    {47D5A45E-6B1A-11D7-BA96-000021F32E38}=C:\WINDOWS\Sify\COMPON~1\IEINTE~1.DLL [2003-10-17 16:06]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
    {BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-01-10 12:20]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
    "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
    "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
    "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
    "Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
    "DSLAGENTEXE"="C:\\Program Files\\Huawei\\MT882\\dslagent.exe"
    "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "HostManager"="C:\\Program Files\\Common Files\\AOL\\1131371244\\ee\\AOLHostManager.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
    "BigDog305"="C:\\WINDOWS\\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)"
    "googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-18 02:18]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-18 02:13]
    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 11:35]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 14:31]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 21:55]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 21:54]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
    "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-18 05:49]
    "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-14 07:04]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:30 C:\WINDOWS\system32\bthprops.cpl])
    "DSLAGENTEXE"="C:\Program Files\Huawei\MT882\dslagent.exe" [2003-10-31 15:26]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-15 15:12]
    "HostManager"="C:\Program Files\Common Files\AOL\1131371244\ee\AOLHostManager.exe" [2005-08-03 01:03]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-10 04:46]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-07 18:30]
    "BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 15:15]
    "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 08:36]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\Awasu]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "RunNarrator"="Narrator.exe"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=dword:00000001
    "DisableTaskMgr"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoCDBurning"=dword:00000000
    "NoFolderOptions"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions"=dword:00000001
    "NoRun"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages msv1_0\0\0
    Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages scecli\0\0


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter HTTPFilter\0\0
    LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService DnsCache\0\0
    DcomLaunch DcomLaunch\0TermService\0\0
    rpcss RpcSs\0\0
    imgsvc StiSvc\0\0
    termsvcs TermService\0\0
    bthsvcs BthServ\0\0
    WudfServiceGroup WUDFSvc\0\0

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Pradip sundaram.job
    C:\WINDOWS\tasks\Symantec NetDetect.job

    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-05-18 00:14:24
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exeo_Oo_Oo_Oo_Oo_O|o_Oo_O o_OBo_Oo_Oo_Oo_O?H<C? o_Oo_O
    BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)o_Oo_Oo_Oo_Oo_Oo_O?0o_Oo_Oo_O@o_Oo_Oo_Oo_O??

    scanning hidden files ...

    C:\system.sav\CTO.TXT 4096 bytes
    C:\system.sav\CTOHW.TXT 16 bytes
    C:\system.sav\DAYLGSAV.reg 320 bytes
    C:\system.sav\delink.log 104 bytes
    C:\system.sav\highgost.flg 32 bytes
    C:\system.sav\info.bom 8192 bytes
    C:\system.sav\INFO.US 4096 bytes
    C:\system.sav\ISLOGCHK.LOG 4096 bytes
    C:\system.sav\logoff.bat 112 bytes
    C:\system.sav\logoff.reg 288 bytes
    C:\system.sav\Logs
    C:\system.sav\Logs\Cia.ini 32768 bytes
    C:\system.sav\Logs\Info.bom 8192 bytes
    C:\system.sav\Logs\Install.log 126976 bytes
    C:\system.sav\Logs\Preinchk.log 4096 bytes
    C:\system.sav\Logs\Sysinfo.log 102400 bytes
    C:\system.sav\mszone.log 4096 bytes
    C:\system.sav\PREINCHK.log 4096 bytes
    C:\system.sav\REBOOT.ME 48 bytes
    C:\system.sav\REGDEV.LOG 40 bytes
    C:\system.sav\REGFLUSH.LOG 4096 bytes
    C:\system.sav\RegionCF
    C:\system.sav\RegionCF\euro.reg 216 bytes
    C:\system.sav\RegionCF\SFr.reg 232 bytes
    C:\system.sav\RmDev.log 4096 bytes
    C:\system.sav\SYSINFO.LOG 102400 bytes
    C:\system.sav\util
    C:\system.sav\util\AppEvBk1.old 12288 bytes
    C:\system.sav\util\bcr.cmd 232 bytes
    C:\system.sav\util\bootldr.flg 0 bytes
    C:\system.sav\util\BOOTSEC.NT4 512 bytes
    C:\system.sav\util\brand.exe 57344 bytes
    C:\system.sav\util\BrandIt.Log 4096 bytes
    C:\system.sav\util\BRAND_2.FLG 16 bytes
    C:\system.sav\util\CHKIMAGE.exe 86016 bytes
    C:\system.sav\util\CIA.CDC 28672 bytes
    C:\system.sav\util\CIA.INI 32768 bytes
    C:\system.sav\util\CLEARTYP.REG 496 bytes
    C:\system.sav\util\CMDOOBE.CMD 72 bytes
    C:\system.sav\util\CMDSWSET.CMD 64 bytes
    C:\system.sav\util\cpqci.dll 73728 bytes
    C:\system.sav\util\cpqsm.exe 53248 bytes
    C:\system.sav\util\cvacompg.exe 77824 bytes
    C:\system.sav\util\cvacompg.tmp 168 bytes
    C:\system.sav\util\delcia.flg 32 bytes
    C:\system.sav\util\DelDir.exe 20480 bytes
    C:\system.sav\util\delmodem.bat 128 bytes
    C:\system.sav\util\delmodem.ini 184 bytes
    C:\system.sav\util\DelWLAN.reg 320 bytes
    C:\system.sav\util\DETECTOS.EXE 65536 bytes
    C:\system.sav\util\DETECTOS.INI 408 bytes
    C:\system.sav\util\dmiuia.cmd 136 bytes
    C:\system.sav\util\DNSP1.LOG 4096 bytes
    C:\system.sav\util\DQM_MRK.exe 176128 bytes
    C:\system.sav\util\EISDTICON.log 32 bytes
    C:\system.sav\util\EISFE.log 32 bytes
    C:\system.sav\util\FB_EIS.log 32 bytes
    C:\system.sav\util\hpqnt.dll 53248 bytes
    C:\system.sav\util\infobomg.exe 57344 bytes
    C:\system.sav\util\INSTALL.LOG 126976 bytes
    C:\system.sav\util\ISLOGCHK.EXE 73728 bytes
    C:\system.sav\util\ISLOGCHK.INI 4096 bytes
    C:\system.sav\util\make_rtr.flg 136 bytes
    C:\system.sav\util\mobproc.flg 136 bytes
    C:\system.sav\util\oobe.min 144 bytes
    C:\system.sav\util\oobe.wpe 4096 bytes
    C:\system.sav\util\osexclude.txt 176 bytes
    C:\system.sav\util\PININST.INI 120 bytes
    C:\system.sav\util\PININST.LOG 168 bytes
    C:\system.sav\util\POSTOOBE.CMD 4096 bytes
    C:\system.sav\util\POSTOOBE.LOG 24 bytes
    C:\system.sav\util\postproc.ini 552 bytes
    C:\system.sav\util\powerset.log 88 bytes
    C:\system.sav\util\PREINCHK.BAT 216 bytes
    C:\system.sav\util\PREINFO.INI 168 bytes
    C:\system.sav\util\PREINFO2.EXE 69632 bytes
    C:\system.sav\util\qlb.log 176 bytes
    C:\system.sav\util\random.ini 40 bytes
    C:\system.sav\util\REGDEV.EXE 73728 bytes
    C:\system.sav\util\REGDEV.INI 560 bytes
    C:\system.sav\util\RMDEV.CMD 512 bytes
    C:\system.sav\util\RMIRDEV.CMD 112 bytes
    C:\system.sav\util\RunCType.REG 392 bytes
    C:\system.sav\util\SecEvBk1.old 24576 bytes
    C:\system.sav\util\sedinst.log 168 bytes
    C:\system.sav\util\SWSETDIR.exe 77824 bytes
    C:\system.sav\util\SWSETUP.BTO 424 bytes
    C:\system.sav\util\SWSETUP.CMD 136 bytes
    C:\system.sav\util\SWSET_B.INI 4096 bytes
    C:\system.sav\util\SysEvBk1.old 12288 bytes
    C:\system.sav\util\touchpad.log 192 bytes
    C:\system.sav\util\uiadump32.exe 16384 bytes
    C:\system.sav\util\uiautil.exe 32768 bytes
    C:\system.sav\util\WINDVD.LOG 168 bytes
    C:\system.sav\util\WMI.BAT 48 bytes

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 95


    ********************************************************************

    Completion time: 2007-05-18 0:14:40
    C:\ComboFix-quarantined-files.txt ... 2007-05-18 00:14
    C:\ComboFix2.txt ... 2007-05-17 23:37
    C:\ComboFix3.txt ... 2007-05-15 23:18
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    OK. I uploaded a new version of the coolpics.bfu to deal with the folder options.

    Can you download the new version and boot into safe mode.
    Then run BFU like you did before, using the new version of coolpics.bfu obviously. Wait for it to complete, boot back to normal and post a new combofix log.

    And, probably not related, but just curious, can you tell me something about:
    this BHO: IEEventTrapper Class - {47D5A45E-6B1A-11D7-BA96-000021F32E38} - C:\WINDOWS\Sify\COMPON~1\IEINTE~1.DLL

    Regards,

    Pieter
     
  8. pradman

    pradman Registered Member

    Joined:
    May 17, 2007
    Posts:
    6
    Thanks Pieter... I'll do what you have asked for...

    Not sure what the DLL does, but I don't see this as a potential problem. Sify is a local Dial-Up ISP I used before switching to Broadband.

    Have some serious cleanup to do:)
     
  9. pradman

    pradman Registered Member

    Joined:
    May 17, 2007
    Posts:
    6
    Pieter...
    Looks like the problem is fixed. Everything seems to work out fine now. Thanks a bunch :)

    Not sure if this is related, but I get a notification from Windows Firewall about blocking of a program by the name of dslagent

    Thanks again!!!

    Here are the combo fix logs...

    "Pradip sundaram" - 2007-05-18 1:00:54 Service Pack 2 [SAFE MODE]
    ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Pradip sundaram\Desktop\"


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\msconfig.exe
    C:\WINDOWS\lsass.exe


    ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-18 ))))))))))))))))))))))))))))))))))


    2007-05-17 23:58 <DIR> d-------- C:\BFU
    2007-05-15 23:18 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-05-15 13:54 107,520 -rahs---- C:\WINDOWS\system\lsass.exe
    2007-05-15 13:54 107,520 --------- C:\New Folder.exe
    2007-05-11 16:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2007-04-25 23:36 <DIR> d-------- C:\DOCUME~1\Deeptha\APPLIC~1\Talkback


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-05-17 19:28:17 12 ----a-w C:\WINDOWS\bthservsdp.dat
    2007-05-17 18:27:39 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-05-15 09:42:29 -------- d-----w C:\Program Files\Symantec
    2007-05-05 08:36:47 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\OpenOffice.org2
    2007-04-22 15:49:01 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\Skype
    2007-04-14 14:34:09 -------- d-----w C:\Program Files\SimpleOCR
    2007-04-14 14:28:48 -------- d-----w C:\Program Files\ReaSoft
    2007-04-14 14:28:48 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\ReaSoft
    2007-04-14 13:14:07 -------- d-----w C:\DOCUME~1\PRADIP~1\APPLIC~1\Talkback
    2007-03-29 14:33:48 -------- d-----w C:\Program Files\iTunes
    2007-03-29 14:33:35 -------- d-----w C:\Program Files\iPod
    2007-03-29 14:31:19 -------- d-----w C:\Program Files\QuickTime
    2007-03-29 14:29:05 -------- d-----w C:\Program Files\Apple Software Update
    2007-03-28 13:11:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
    2007-03-28 13:11:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
    2007-03-28 13:11:26 266,552 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
    2007-03-28 13:11:24 18,904 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
    2007-03-28 13:11:20 37,016 ----a-w C:\WINDOWS\system32\drivers\symids.sys
    2007-03-28 13:11:18 47,192 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
    2007-03-28 13:11:14 171,928 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
    2007-03-28 13:11:12 11,480 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
    2007-03-24 06:02:54 -------- d-----w C:\Program Files\Windows Media Connect 2


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 03:47]
    {47D5A45E-6B1A-11D7-BA96-000021F32E38}=C:\WINDOWS\Sify\COMPON~1\IEINTE~1.DLL [2003-10-17 16:06]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
    {BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-01-10 12:20]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
    "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
    "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
    "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
    "Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
    "DSLAGENTEXE"="C:\\Program Files\\Huawei\\MT882\\dslagent.exe"
    "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "HostManager"="C:\\Program Files\\Common Files\\AOL\\1131371244\\ee\\AOLHostManager.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
    "BigDog305"="C:\\WINDOWS\\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)"
    "googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-18 02:18]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-18 02:13]
    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 11:35]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 14:31]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 21:55]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 21:54]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
    "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-18 05:49]
    "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-14 07:04]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:30 C:\WINDOWS\system32\bthprops.cpl])
    "DSLAGENTEXE"="C:\Program Files\Huawei\MT882\dslagent.exe" [2003-10-31 15:26]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-15 15:12]
    "HostManager"="C:\Program Files\Common Files\AOL\1131371244\ee\AOLHostManager.exe" [2005-08-03 01:03]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-10 04:46]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-07 18:30]
    "BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 15:15]
    "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 08:36]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\Awasu]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "RunNarrator"="Narrator.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoCDBurning"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages msv1_0\0\0
    Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages scecli\0\0


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter HTTPFilter\0\0
    LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService DnsCache\0\0
    DcomLaunch DcomLaunch\0TermService\0\0
    rpcss RpcSs\0\0
    imgsvc StiSvc\0\0
    termsvcs TermService\0\0
    bthsvcs BthServ\0\0
    WudfServiceGroup WUDFSvc\0\0

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Pradip sundaram.job
    C:\WINDOWS\tasks\Symantec NetDetect.job

    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-05-18 01:03:46
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exeo_Oo_Oo_Oo_Oo_O|o_Oo_O o_OBo_Oo_Oo_Oo_O?H<C? o_Oo_O
    BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)o_Oo_Oo_Oo_Oo_Oo_O?0o_Oo_Oo_O@o_Oo_Oo_Oo_O??

    scanning hidden files ...

    C:\system.sav\CTO.TXT 4096 bytes
    C:\system.sav\CTOHW.TXT 16 bytes
    C:\system.sav\DAYLGSAV.reg 320 bytes
    C:\system.sav\delink.log 104 bytes
    C:\system.sav\highgost.flg 32 bytes
    C:\system.sav\info.bom 8192 bytes
    C:\system.sav\INFO.US 4096 bytes
    C:\system.sav\ISLOGCHK.LOG 4096 bytes
    C:\system.sav\logoff.bat 112 bytes
    C:\system.sav\logoff.reg 288 bytes
    C:\system.sav\Logs
    C:\system.sav\Logs\Cia.ini 32768 bytes
    C:\system.sav\Logs\Info.bom 8192 bytes
    C:\system.sav\Logs\Install.log 126976 bytes
    C:\system.sav\Logs\Preinchk.log 4096 bytes
    C:\system.sav\Logs\Sysinfo.log 102400 bytes
    C:\system.sav\mszone.log 4096 bytes
    C:\system.sav\PREINCHK.log 4096 bytes
    C:\system.sav\REBOOT.ME 48 bytes
    C:\system.sav\REGDEV.LOG 40 bytes
    C:\system.sav\REGFLUSH.LOG 4096 bytes
    C:\system.sav\RegionCF
    C:\system.sav\RegionCF\euro.reg 216 bytes
    C:\system.sav\RegionCF\SFr.reg 232 bytes
    C:\system.sav\RmDev.log 4096 bytes
    C:\system.sav\SYSINFO.LOG 102400 bytes
    C:\system.sav\util
    C:\system.sav\util\AppEvBk1.old 12288 bytes
    C:\system.sav\util\bcr.cmd 232 bytes
    C:\system.sav\util\bootldr.flg 0 bytes
    C:\system.sav\util\BOOTSEC.NT4 512 bytes
    C:\system.sav\util\brand.exe 57344 bytes
    C:\system.sav\util\BrandIt.Log 4096 bytes
    C:\system.sav\util\BRAND_2.FLG 16 bytes
    C:\system.sav\util\CHKIMAGE.exe 86016 bytes
    C:\system.sav\util\CIA.CDC 28672 bytes
    C:\system.sav\util\CIA.INI 32768 bytes
    C:\system.sav\util\CLEARTYP.REG 496 bytes
    C:\system.sav\util\CMDOOBE.CMD 72 bytes
    C:\system.sav\util\CMDSWSET.CMD 64 bytes
    C:\system.sav\util\cpqci.dll 73728 bytes
    C:\system.sav\util\cpqsm.exe 53248 bytes
    C:\system.sav\util\cvacompg.exe 77824 bytes
    C:\system.sav\util\cvacompg.tmp 168 bytes
    C:\system.sav\util\delcia.flg 32 bytes
    C:\system.sav\util\DelDir.exe 20480 bytes
    C:\system.sav\util\delmodem.bat 128 bytes
    C:\system.sav\util\delmodem.ini 184 bytes
    C:\system.sav\util\DelWLAN.reg 320 bytes
    C:\system.sav\util\DETECTOS.EXE 65536 bytes
    C:\system.sav\util\DETECTOS.INI 408 bytes
    C:\system.sav\util\dmiuia.cmd 136 bytes
    C:\system.sav\util\DNSP1.LOG 4096 bytes
    C:\system.sav\util\DQM_MRK.exe 176128 bytes
    C:\system.sav\util\EISDTICON.log 32 bytes
    C:\system.sav\util\EISFE.log 32 bytes
    C:\system.sav\util\FB_EIS.log 32 bytes
    C:\system.sav\util\hpqnt.dll 53248 bytes
    C:\system.sav\util\infobomg.exe 57344 bytes
    C:\system.sav\util\INSTALL.LOG 126976 bytes
    C:\system.sav\util\ISLOGCHK.EXE 73728 bytes
    C:\system.sav\util\ISLOGCHK.INI 4096 bytes
    C:\system.sav\util\make_rtr.flg 136 bytes
    C:\system.sav\util\mobproc.flg 136 bytes
    C:\system.sav\util\oobe.min 144 bytes
    C:\system.sav\util\oobe.wpe 4096 bytes
    C:\system.sav\util\osexclude.txt 176 bytes
    C:\system.sav\util\PININST.INI 120 bytes
    C:\system.sav\util\PININST.LOG 168 bytes
    C:\system.sav\util\POSTOOBE.CMD 4096 bytes
    C:\system.sav\util\POSTOOBE.LOG 24 bytes
    C:\system.sav\util\postproc.ini 552 bytes
    C:\system.sav\util\powerset.log 88 bytes
    C:\system.sav\util\PREINCHK.BAT 216 bytes
    C:\system.sav\util\PREINFO.INI 168 bytes
    C:\system.sav\util\PREINFO2.EXE 69632 bytes
    C:\system.sav\util\qlb.log 176 bytes
    C:\system.sav\util\random.ini 40 bytes
    C:\system.sav\util\REGDEV.EXE 73728 bytes
    C:\system.sav\util\REGDEV.INI 560 bytes
    C:\system.sav\util\RMDEV.CMD 512 bytes
    C:\system.sav\util\RMIRDEV.CMD 112 bytes
    C:\system.sav\util\RunCType.REG 392 bytes
    C:\system.sav\util\SecEvBk1.old 24576 bytes
    C:\system.sav\util\sedinst.log 168 bytes
    C:\system.sav\util\SWSETDIR.exe 77824 bytes
    C:\system.sav\util\SWSETUP.BTO 424 bytes
    C:\system.sav\util\SWSETUP.CMD 136 bytes
    C:\system.sav\util\SWSET_B.INI 4096 bytes
    C:\system.sav\util\SysEvBk1.old 12288 bytes
    C:\system.sav\util\touchpad.log 192 bytes
    C:\system.sav\util\uiadump32.exe 16384 bytes
    C:\system.sav\util\uiautil.exe 32768 bytes
    C:\system.sav\util\WINDVD.LOG 168 bytes
    C:\system.sav\util\WMI.BAT 48 bytes

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 95


    ********************************************************************

    Completion time: 2007-05-18 1:03:53
    C:\ComboFix-quarantined-files.txt ... 2007-05-18 01:03
    C:\ComboFix2.txt ... 2007-05-18 00:14
    C:\ComboFix3.txt ... 2007-05-17 23:37
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Thank YOU for helping me update my script.
    Glad we could help. :)

    http://www.liutilities.com/products/wintaskspro/processlibrary/dslagent/ :
    dslagent.exe is installed alongside broadband modems from Eicon networks which comes bundled with many Internet providers. This is required for the Internet connection to operate.

    I don't see any other malware hiding on your system, so you should be fine.

    Is this Sify your provider or a service you use regularly?

    Regards,

    Pieter
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi pradman,

    You still following this?

    Can you find this file:
    C:\New Folder.exe
    If you still have it, I would love to see a copy of it.
    I suspect it could be related to this infection.

    Let me know and we'll discuss a way to get the file to me.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.