Yahoo IM coolpics.net problem!!!

Discussion in 'malware problems & news' started by cmanjunath, May 12, 2007.

Thread Status:
Not open for further replies.
  1. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    Hello,

    I mistakenly clicked on some link on yahoo IM which has completed messed my system!

    I cannot access Task Manager :'(
    I dont find "RUN" on the Start Menu :'(
    I cant edit the IE home page.. It keeps redirecting to the same coolpics site :mad:

    I have tried so many things i read on various forums, but none have helpded.

    I even tried the BFU installer?? But to no avail...

    I tried opened the CMD from system32 and made some registry changes to enable regedit and taskmanager, however it lets me open them only after after the entry is executed in cmd....

    I can see anything suspicious running in TaskMgr though...

    Tried changing the homepage form the registry, but that dint help...

    I see that LSASS.exe keeps running always and takes a lot of CPU memory... Could that be the culprit??

    Also I see a folder in each of the HD drives called "IT University", this looks like an application (.exe)...

    Can someone please guide how can get rid of this irritating thing, before i try to reinstall my OSo_O

    I have stopped connecting to internet from yesterday fearing that it may cause any further problems...
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  3. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    Yes I have followed all the instructions mentioned on that site...

    I also checked the box to show the logs after the execution... it came back saying it failed...
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  5. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    Yes, I did go thru that post... And followed instructions from there too...
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I sent u a PM.



    snowbound
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi cmanjunath,

    snowbound asked me to help you. :)

    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Regards,

    Pieter
     
  8. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    I am having trouble connecting to the internet from my affected PC...

    I ll try tomorrow and will post the logs here.

    Thanks!
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    No problem. I'll check tomorrow. :cool:
     
  10. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    Please find the logs below:

    ***************

    "Manju" - 2007-05-14 17:43:12 Service Pack 2
    ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Manju\Desktop\"


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\msconfig.exe
    C:\WINDOWS\lsass.exe
    C:\WINDOWS\system\svchost.exe


    ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-14 ))))))))))))))))))))))))))))))))))


    2007-05-11 19:16 <DIR> d-------- C:\BFU
    2007-05-09 23:22 <DIR> d--hs---- C:\FOUND.004
    2007-05-09 22:51 107,520 -rahs---- C:\WINDOWS\system\lsass.exe
    2007-05-09 22:51 107,520 --------- C:\New Folder.exe
    2007-04-29 17:47 <DIR> d-------- C:\Program Files\BITSAT_2007_Sample
    2007-04-17 23:11 <DIR> d-------- C:\WINDOWS\source
    2007-04-16 18:57 <DIR> d-------- C:\WINDOWS\pss
    2007-04-15 10:17 <DIR> d-------- C:\Program Files\Sify Broadband


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-04-13 14:50:54 -------- d-----w C:\Program Files\Remedy
    2007-04-13 14:50:12 -------- d-----w C:\Program Files\ACNU
    2007-04-13 14:49:54 -------- d-----w C:\Program Files\Nortel Networks
    2007-04-08 14:24:50 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat
    2007-04-08 14:24:24 -------- d-----w C:\Program Files\MSN Messenger
    2007-04-08 14:24:22 -------- d-----w C:\Program Files\Windows Media Connect 2
    2007-04-05 13:43:18 -------- d-----w C:\Program Files\Symantec AntiVirus
    2007-04-03 13:56:42 -------- d-----w C:\DOCUME~1\Manju\APPLIC~1\AdobeUM
    2007-04-03 12:20:22 -------- d-----w C:\DOCUME~1\Manju\APPLIC~1\Broadband


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
    {C08DF07A-3E49-4E25-9AB0-D3882835F153}=C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll [2001-08-10 14:23]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
    "hffsrv"="c:\\windows\\hffext\\hffsrv.exe"
    "NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
    "pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
    "nwiz"="nwiz.exe /install"
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe"
    "SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
    "SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    @=""
    "inetsrv"="C:\\WINDOWS\\system32\\inetsrv.exe"
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
    "googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
    "Task Manager"="C:\\WINDOWS\\system\\svchost.exe"
    "Yahoo Messenger"="C:\\WINDOWS\\system\\svchost32.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
    "hffsrv"="c:\windows\hffext\hffsrv.exe" [2006-01-25 21:11]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
    "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-12-05 16:49]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-26 20:46]
    "nwiz"="nwiz.exe" [2006-02-26 20:46 C:\WINDOWS\system32\nwiz.exe])
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-10-13 21:05 C:\WINDOWS\system32\HdAShCut.exe])
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 06:41]
    "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-09-07 15:35]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-12 11:09]
    "@"="" [])
    "inetsrv"="C:\WINDOWS\system32\inetsrv.exe" [2003-06-20 03:05]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-26 20:46]
    "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]
    "Task Manager"="C:\WINDOWS\system\svchost.exe" []
    "Yahoo Messenger"="C:\WINDOWS\system\svchost32.exe" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:21]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-12-08 13:55]
    "SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 20:04]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
    "SifyBB"="C:\\Program Files\\Sify Broadband\\BBImpSec.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "LvHidSvc"="C:\\WINDOWS\\system32\\lvhidsvc.exe"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "msnsc"="C:\\WINDOWS\\system32\\msnsc.exe"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=dword:00000001
    "DisableTaskMgr"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions"=dword:00000001
    "NoRun"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]


    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages msv1_0\0\0
    Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages scecli\0\0

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FDCENT.SYS
    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\HideFilesAndFolders_S

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk
    C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^intervideo wincinema manager.lnk
    C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^tvr schedule.lnk
    C:\WINDOWS\Installer\{E4C3B10E-E277-4458-8440-DAE332D50BF3}\_4ae13d6c.exe

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sony ericsson pc suite
    "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter HTTPFilter\0\0
    LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService DnsCache\0\0
    DcomLaunch DcomLaunch\0TermService\0\0
    rpcss RpcSs\0\0
    imgsvc StiSvc\0\0
    termsvcs TermService\0\0

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0436aa64-0679-11db-8a6d-dd0aeee73d78}]
    Shell\AutoRun\command J:\.\Recycled\Driveinfo.exe
    Shell\Open\Command J:\.\Recycled\Driveinfo.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{09c27ec0-634b-11db-8ae2-0015f25b4856}]
    Shell\AutoRun\command .\Recycled\Driveinfo.exe
    Shell\Open\Command .\Recycled\Driveinfo.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77098c98-be8c-11db-8b3a-0015f25b4856}]
    Shell\AutoRun\command J:\.\Recycled\Driveinfo.exe
    Shell\Open\Command J:\.\Recycled\Driveinfo.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9946b8f2-05ec-11db-8a6b-8f7ced26017f}]
    Shell\AutoRun\command .\Recycled\Driveinfo.exe
    Shell\Open\Command .\Recycled\Driveinfo.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb0fa666-5c23-11db-8ad6-0015f25b4856}]
    Shell\AutoRun\command .\Recycled\Driveinfo.exe
    Shell\Open\Command .\Recycled\Driveinfo.exe

    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-05-14 17:44:17
    Windows 5.1.2600 Service Pack 2 FAT

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    ********************************************************************

    Completion time: 2007-05-14 17:44:21
    C:\ComboFix-quarantined-files.txt ... 2007-05-14 17:44
     
  11. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    Hi Pieter,

    Is it OK if i connect to internet on this infected PC? Coz i saw something about Sify Beoadband in the log file... thats the client I use to connect to the internet....
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    It shouldn't leak anything that is hasn't already leaked.
    As far as I know all this malware does is display annoying ads.
    The log is a snaphot of your PC and doesn't reveal any usable personal info.
    I do see your log so no worries there.

    Analyzing now ......
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    I actually see no reason why my BFU script would not have worked.

    One question:
    Did you or some software you are using disable the Folder options menu?

    (In explorer > tools > you will see no Folder options )
    No problem if it is by design. Could be due to using HFF

    Please follow these instructions:
    Download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C: ) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Coolpics Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select coolpics.bfu
    • Put a checkmark in the "Show log after script ends"
    • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Post the BFU log.
    • Press exit to terminate the BFU program.
    Reboot your computer and post a new Combofix log.
     
  14. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    Hello,

    1. I checked in Explorer and could not find folder oprtions. I used to find this in the past...

    2. I ran the BFU, like I have done in the past... Here are the logs:

    BFU v1.00.9
    Windows XP SP2 (WinNT 5.01.2600 SP2)
    Script started at 9:20:27 PM, on 5/14/2007

    Failed: FileDelete C:\DOCUME~1\Manju\LOCALS~1\Temp\~DF67B0.tmp (operation failed)
    Failed: FileDelete C:\DOCUME~1\Manju\LOCALS~1\Temp\~DF7552.tmp (operation failed)
    Failed: FileDelete C:\DOCUME~1\Manju\LOCALS~1\Temp\~DF47E9.tmp (operation failed)
    Failed: FolderDelete C:\Documents and Settings\Manju\Local Settings\Temporary Internet Files\Content.IE5\KXOTQJW1 (operation failed)
    Script completed.

    3. Will reboot, run the combofix and copy the logs.
     
  15. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    I ran BFU, rebooted and reran the Combofix.... Here's the log report for you....

    **************************

    "Manju" - 2007-05-14 21:25:36 Service Pack 2
    ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Manju\Desktop\"


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\msconfig.exe
    C:\WINDOWS\lsass.exe


    ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-14 ))))))))))))))))))))))))))))))))))


    2007-05-14 21:18 <DIR> d-------- C:\BFU
    2007-05-14 17:44 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-05-09 23:22 <DIR> d--hs---- C:\FOUND.004
    2007-05-09 22:51 107,520 -rahs---- C:\WINDOWS\system\lsass.exe
    2007-05-09 22:51 107,520 --------- C:\New Folder.exe
    2007-04-29 17:47 <DIR> d-------- C:\Program Files\BITSAT_2007_Sample
    2007-04-17 23:11 <DIR> d-------- C:\WINDOWS\source
    2007-04-16 18:57 <DIR> d-------- C:\WINDOWS\pss
    2007-04-15 10:17 <DIR> d-------- C:\Program Files\Sify Broadband


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-04-13 14:50:54 -------- d-----w C:\Program Files\Remedy
    2007-04-13 14:50:12 -------- d-----w C:\Program Files\ACNU
    2007-04-13 14:49:54 -------- d-----w C:\Program Files\Nortel Networks
    2007-04-08 14:24:50 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat
    2007-04-08 14:24:24 -------- d-----w C:\Program Files\MSN Messenger
    2007-04-08 14:24:22 -------- d-----w C:\Program Files\Windows Media Connect 2
    2007-04-05 13:43:18 -------- d-----w C:\Program Files\Symantec AntiVirus
    2007-04-03 13:56:42 -------- d-----w C:\DOCUME~1\Manju\APPLIC~1\AdobeUM
    2007-04-03 12:20:22 -------- d-----w C:\DOCUME~1\Manju\APPLIC~1\Broadband


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
    {C08DF07A-3E49-4E25-9AB0-D3882835F153}=C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll [2001-08-10 14:23]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
    "hffsrv"="c:\\windows\\hffext\\hffsrv.exe"
    "NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
    "pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
    "nwiz"="nwiz.exe /install"
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe"
    "SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
    "SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    @=""
    "inetsrv"="C:\\WINDOWS\\system32\\inetsrv.exe"
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
    "googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
    "hffsrv"="c:\windows\hffext\hffsrv.exe" [2006-01-25 21:11]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
    "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-12-05 16:49]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-26 20:46]
    "nwiz"="nwiz.exe" [2006-02-26 20:46 C:\WINDOWS\system32\nwiz.exe])
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-10-13 21:05 C:\WINDOWS\system32\HdAShCut.exe])
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 06:41]
    "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-09-07 15:35]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-12 11:09]
    "@"="" [])
    "inetsrv"="C:\WINDOWS\system32\inetsrv.exe" [2003-06-20 03:05]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-26 20:46]
    "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:21]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-12-08 13:55]
    "SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 20:04]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
    "SifyBB"="C:\\Program Files\\Sify Broadband\\BBImpSec.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "LvHidSvc"="C:\\WINDOWS\\system32\\lvhidsvc.exe"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "msnsc"="C:\\WINDOWS\\system32\\msnsc.exe"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=dword:00000001
    "DisableTaskMgr"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions"=dword:00000001
    "NoRun"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]


    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages msv1_0\0\0
    Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages scecli\0\0

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FDCENT.SYS
    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\HideFilesAndFolders_S

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk
    C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^intervideo wincinema manager.lnk
    C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^tvr schedule.lnk
    C:\WINDOWS\Installer\{E4C3B10E-E277-4458-8440-DAE332D50BF3}\_4ae13d6c.exe

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sony ericsson pc suite
    "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter HTTPFilter\0\0
    LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService DnsCache\0\0
    DcomLaunch DcomLaunch\0TermService\0\0
    rpcss RpcSs\0\0
    imgsvc StiSvc\0\0
    termsvcs TermService\0\0

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0436aa64-0679-11db-8a6d-dd0aeee73d78}]
    Shell\AutoRun\command J:\.\Recycled\Driveinfo.exe
    Shell\Open\Command J:\.\Recycled\Driveinfo.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{09c27ec0-634b-11db-8ae2-0015f25b4856}]
    Shell\AutoRun\command .\Recycled\Driveinfo.exe
    Shell\Open\Command .\Recycled\Driveinfo.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77098c98-be8c-11db-8b3a-0015f25b4856}]
    Shell\AutoRun\command J:\.\Recycled\Driveinfo.exe
    Shell\Open\Command J:\.\Recycled\Driveinfo.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9946b8f2-05ec-11db-8a6b-8f7ced26017f}]
    Shell\AutoRun\command .\Recycled\Driveinfo.exe
    Shell\Open\Command .\Recycled\Driveinfo.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb0fa666-5c23-11db-8ad6-0015f25b4856}]
    Shell\AutoRun\command .\Recycled\Driveinfo.exe
    Shell\Open\Command .\Recycled\Driveinfo.exe

    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-05-14 21:26:37
    Windows 5.1.2600 Service Pack 2 FAT

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    ********************************************************************

    Completion time: 2007-05-14 21:26:40
    C:\ComboFix-quarantined-files.txt ... 2007-05-14 21:26
    C:\ComboFix2.txt ... 2007-05-14 17:44
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Ok. So we have a little more to deal with:

    First we will make a backup of your registry.
    Go to Start > Run
    Type:
    • regedit
    Click OK.
    • On the leftside, click to highlight My Computer at the top.
    • Go up to "File > Export"
      • Make sure in that window there is a tick next to "All" under Export Branch.
        Leave the "Save As Type" as "Registration Files".
        Under "Filename" put backup
    • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
    • Click save and then go to File > Exit.
    This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

    Next, please launch Notepad, and copy/paste the contents of the code box below into a new Notepad file, starting from the phrase REGEDIT4. Save it with file name RegFix.reg and save as file type: all files to your desktop.


    Code:
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "inetsrv"=-
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=-
    "DisableTaskMgr"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions"=-
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions"=-
    "NoRun"=-
    

    Now please locate RegFix.reg on your desktop, double click it, and click OK to allow it to merge with your registry.

    Once done, reboot your computer and post a new ComboFix log.

    Regards,

    Pieter
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    One extra step please.
    Please do this before you reboot, but after applying the registry fix.

    Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
    (Set filetype to "All Files")


    attrib -r -s -h %systemdrive%\Recycler
    del %systemdrive%\Recycler
    attrib -r -s -h %systemdrive%\Recycled
    del %systemdrive%\Recycled
    shutdown /r /t 0 /f


    Close all programs and doubleclick recyclerem.bat

    Your computer will reboot and you will have a shiny new (empty) recycle bin.
    So if there is anything in there (besides a worm called Driveinfo.exe) make sure you have copies.
     
  18. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    Hi Pieter,

    I do not have RUN when I click on start! That disappeared when the PC got infected.

    I cant open regedit from C\Windows\System32... it gives an error that the admin has blocked it?? or something like that...

    Somebody had given me a command that I ran using cmd from the system32 folder... This lets me open the regedit only for once after I run this command...

    Please advise how I would be able to follow the steps you have instructed...

    Thanks Much!
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    If regedit has been disabled we will have to wing it if we need a backup.
    I think I can repair any damage.
    Proceed without making a backup.

    @ annoyed,

    Your post was split off and you will be helped separately or we will end up confusing all of us, me first. :D

    Regards,

    Pieter
     
  20. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    Hi Pieter,

    Am sorry, I dint get your instructions... Do u mean I can skip the registry backup step and try the others?

    Will the registry fix file still work when the regedit is disabled?

    Thanks
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Yes please.
    That depends on how they disabled it. My guess is doubleclicking a reg file should still work.

    Let me know.
    If it fails I will write you another bfu script.
     
  22. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    Hi Pieter,

    Clicking on the file still gave me the error that regedit has been disabled... it got disabled when the PC got infected.

    Anyways, I reinstlled the Win XP on a different drive and formatted my primary drive... as I did have much data to loose...

    Now my new OS seems to be Okay, I have installed Spybot search & Destroy and ran a search and now all is clean :)

    Howeve, I want to make sure i dont run into these irritating viruses in the future...

    Can u please suggest a good Antivirus software i can download which is effective, unline Norton which was of no help....

    Thanks again!
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    I am sorry you had to take such drastic measures. :(

    There are several good AVs. I don't think it's my place to determine what's right for you.
    I use Kaspersky, NOD32 and AVG on different computers. I find them all sufficient, but much depends on your computer habits (mainly surfing) and other security measures.

    Even Norton knows the worm you had besides coolpics:
    http://www.symantec.com/security_response/writeup.jsp?docid=2006-062913-2851-99&tabid=2

    If your computer is networked you may want to check the other computers in the network.

    Be carefull out there and read a lot in these forums which are full of good information on computer security. :)

    Regards,

    Pieter
     
  24. cmanjunath

    cmanjunath Registered Member

    Joined:
    May 12, 2007
    Posts:
    12
    Thanks much Pieter! :)
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    My pleasure. :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.