Jump to content

Vundo - Removed, but still have some after-effects


Recommended Posts

Hi All,

Somewhere during yesterday night i contracted the Vundo. (i had left my system on.. Donno if i can contract Vundo just by that.. or perhaps some site i visited yesterday). Today i got MBAM and cleaned up the infection. But as i didn't remove the infected dll files and registry entry after rebooting several times, I booted into a bartPE recovery disk and deleted the infected files, and also the register entry (By offline-loading the registry hive from with in bartpe). Aftyer that, Vundo seems to be gone. I checked with MBAM and it saysd that my system is clean. For a good measure I also checked with Symantec Antivirus, and with the online scanner from panda, and all of then say that my system is clean. But I have one issue now.. No, two..

- Symantec Auto-Protect is Disabled. If i enable it, it gets disabled again within a second.

- In Firefox, if i click on a link or do a "Open in new tab", it opens some junk "Not Found" page, but if i copy-paste the link, then it works OK.

Please tell me if i still have a malware, or this is some after-effect.. Please find attached my latest HijackThis and MBAM logs..

Thank You Very Much

Rajesh

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:21:42 PM, on 6/22/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\DGAgent\DgService.exe

C:\Program Files\DGAgent\dgagent.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\AClient\AClient.exe

C:\WINDOWS\system32\AeXNSAgent32.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Altiris\Recovery Solution Agent\AeXRSAgt.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Altiris\Recovery Solution Agent\AeXRSAView.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Rational\ClearCase\bin\lockmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\WRProbeSvc.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\Program Files\DGAgent\DgScan.exe

C:\Program Files\Altiris\AClient\AClntUsr.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.broadcom.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.broadcom.com/

O2 - BHO: (no name) - {05A12010-E7A9-423E-9F8C-596D9A417FFe} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll

O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE

O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ccApp] -

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [AeXRSAView] C:\Program Files\Altiris\Recovery Solution Agent\AeXRSAView.exe -logon

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll

O15 - Trusted Zone: *.broadcom.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ad.broadcom.com

O17 - HKLM\Software\..\Telephony: DomainName = corp.ad.broadcom.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ad.broadcom.com

O20 - AppInit_DLLs: AMINIT.dll

O20 - Winlogon Notify: ccnotify - C:\Program Files\Rational\bin\ccnotify.dll (file missing)

O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe

O23 - Service: AeXNSAgent32 - Unknown owner - C:\WINDOWS\system32\AeXNSAgent32.exe

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: Atria Location Broker (Albd) - IBM Corporation - C:\Program Files\Rational\ClearCase\bin\albd_server.exe

O23 - Service: Altiris Local Recovery Server - Altiris, Inc. - C:\Program Files\Altiris\Recovery Solution Agent\LocalRSvc.exe

O23 - Service: Altiris Recovery Solution Agent - Altiris, Inc. - C:\Program Files\Altiris\Recovery Solution Agent\AeXRSAgt.exe

O23 - Service: Altiris Recovery Solution FAL Stopper - Altiris, Inc. - C:\Program Files\Altiris\Recovery Solution Agent\AeXFALS.exe

O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe

O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe

O23 - Service: Rational Cred Manager (cccredmgr) - Unknown owner - C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - - (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe

O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Usage History Scanning Service (DGScan) - Verdasys, Inc. - C:\Program Files\DGAgent\DgScan.exe

O23 - Service: Usage History Monitor (DGService) - Verdasys, Inc. - C:\Program Files\DGAgent\DgService.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe

O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Rational Lock Manager (LockMgr) - IBM Corporation - C:\Program Files\Rational\ClearCase\bin\lockmgr.exe

O23 - Service: Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\Program Files\Rational\ClearQuest\mailservice.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: Wind River Probe (WindRiverProbe) - Wind River Systems - C:\WINDOWS\system32\WRProbeSvc.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 8108 bytes

Malwarebytes' Anti-Malware 1.38

Database version: 2323

Windows 5.1.2600 Service Pack 2

6/22/2009 10:26:42 PM

mbam-log-2009-06-22 (22-26-42).txt

Scan type: Quick Scan

Objects scanned: 115160

Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

- Symantec Auto-Protect is Disabled. If i enable it, it gets disabled again within a second.
This isn't always caused by malware. A corruption in the program itself may cause the same and this isn't that uncommon with Norton as this issue was reported already a couple of times.

Did you set these?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.broadcom.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.broadcom.com/

If not, check them in HijackThis and click the Fix checked button below.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Thanks for the reply. Gives hope to see a response.

This isn't always caused by malware. A corruption in the program itself may cause the same and this isn't that uncommon with Norton as this issue was reported already a couple of times.

The reason that think that it is some malware activity is... I compared the Program files\Symantec Antivirus folder with a backup. I see two .dat filers changed, and one .dat file removed. I restored these files from the backup, and then again if i try to enable auto-protect, the file gets changed & deleted.

Did you set these?

Yes.

Please find attached the Combofix Log. Even now the Symantec Auto-protect can't be enabled.. Haven't tried surfing on Firefox yet.

ComboFix 09-06-22.0A - srajesh 06/23/2009 6:56.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1572 [GMT -7:00]

Running from: c:\documents and settings\srajesh\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\NetworkService\Application Data\zqpgubwx

c:\documents and settings\NetworkService\Local Settings\Application Data\zqpgubwx

c:\documents and settings\srajesh\Application Data\zqpgubwx

c:\documents and settings\srajesh\Local Settings\Application Data\zqpgubwx

c:\windows\system32\drivers\bkggeyhf.sys

c:\windows\system32\drivers\ibhqjrjy.sys

c:\windows\system32\drivers\SKYNETlobbpkti.sys

c:\windows\system32\SKYNETaujyeuxf.dat

c:\windows\system32\SKYNETlxgmxttg.dll

c:\windows\system32\SKYNETvkaldpmt.dll

c:\windows\system32\SKYNETysnlotnk.dat

c:\documents and settings\NetworkService\Application Data\zqpgubwx\profiles.ini

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\cert8.db

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\compatibility.ini

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\compreg.dat

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\cookies.sqlite

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\formhistory.sqlite

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\key3.db

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\localstore.rdf

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\permissions.sqlite

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\places.sqlite

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\places.sqlite-journal

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\pluginreg.dat

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\prefs.js

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\secmod.db

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\webappsstore.sqlite

c:\documents and settings\NetworkService\Application Data\zqpgubwx\Profiles\kqlmkeou.default\xpti.dat

c:\documents and settings\NetworkService\Local Settings\Application Data\zqpgubwx\Profiles\kqlmkeou.default\urlclassifier3.sqlite

c:\documents and settings\NetworkService\Local Settings\Application Data\zqpgubwx\Profiles\kqlmkeou.default\XPC.mfl

c:\documents and settings\srajesh\Application Data\zqpgubwx\profiles.ini

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\cert8.db

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\compatibility.ini

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\compreg.dat

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\cookies.sqlite

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\formhistory.sqlite

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\key3.db

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\localstore.rdf

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\parent.lock

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\permissions.sqlite

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\places.sqlite

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\places.sqlite-journal

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\places.sqlite-stmtjrnl

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\pluginreg.dat

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\prefs.js

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\secmod.db

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\webappsstore.sqlite

c:\documents and settings\srajesh\Application Data\zqpgubwx\Profiles\0yimccl5.default\xpti.dat

c:\documents and settings\srajesh\Local Settings\Application Data\zqpgubwx\Profiles\0yimccl5.default\urlclassifier3.sqlite

c:\documents and settings\srajesh\Local Settings\Application Data\zqpgubwx\Profiles\0yimccl5.default\XPC.mfl

c:\windows\system32\drivers\SKYNETlobbpkti.sys

c:\windows\system32\idwhwrp.dll

c:\windows\system32\luyeism.dll

c:\windows\system32\pcgejggy.dll

c:\windows\system32\SKYNETaujyeuxf.dat

c:\windows\system32\SKYNETlxgmxttg.dll

c:\windows\system32\SKYNETvkaldpmt.dll

c:\windows\system32\SKYNETysnlotnk.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SKYNETqrqqaqjo

-------\Legacy_IBHQJRJY

-------\Service_ibhqjrjy

-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))

.

2009-06-23 14:09 . 2009-06-23 14:09 53248 ----a-w- c:\temp\catchme.dll

2009-06-23 14:09 . 2009-06-23 14:09 -------- d-----w- c:\temp\WPDNSE

2009-06-23 14:09 . 2009-06-23 14:09 16384 ----atw- c:\temp\Perflib_Perfdata_c7c.dat

2009-06-23 14:06 . 2009-06-23 14:06 60416 ----a-w- c:\temp\Perflib_Perfdata__755.dat

2009-06-23 14:05 . 2009-06-23 14:05 16384 ----atw- c:\temp\Perflib_Perfdata_6cc.dat

2009-06-23 13:55 . 2009-06-23 13:55 16384 ----atw- c:\temp\Perflib_Perfdata_578.dat

2009-06-23 06:10 . 2009-06-23 13:44 -------- d-----w- c:\temp\vmware-srajesh

2009-06-23 04:24 . 2009-06-23 04:24 28029 ----a-w- c:\windows\system32\nvModes.dat

2009-06-23 03:22 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys

2009-06-23 03:22 . 2009-06-23 03:22 -------- d-----w- c:\program files\Panda Security

2009-06-23 01:11 . 2009-06-23 13:39 -------- d-----w- c:\temp\hsperfdata_srajesh

2009-06-23 00:14 . 2009-06-23 00:14 -------- d-----w- c:\program files\Trend Micro

2009-06-22 23:23 . 2009-06-22 23:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-06-22 23:12 . 2009-06-22 23:12 -------- d-----w- c:\documents and settings\srajesh\Application Data\Desktopicon

2009-06-22 23:12 . 2009-06-23 00:58 -------- d-----w- c:\program files\Unlocker

2009-06-22 22:38 . 2009-06-23 14:06 -------- d-s---w- c:\temp\Cookies

2009-06-22 22:38 . 2009-06-22 22:38 -------- d-s---w- c:\temp\Temporary Internet Files

2009-06-22 22:23 . 2009-06-22 22:23 -------- d-----w- c:\documents and settings\srajesh\Application Data\Malwarebytes

2009-06-22 22:23 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-22 22:23 . 2009-06-22 22:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-22 22:23 . 2009-06-22 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-22 22:23 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-22 20:47 . 2008-04-14 17:30 132608 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-22 20:32 . 2009-06-22 20:32 -------- d-s---w- c:\temp\History

2009-06-08 17:44 . 2006-12-04 23:53 187184 ----a-w- c:\windows\pskill.exe

2009-06-06 06:18 . 2009-06-06 06:18 -------- d-----w- c:\documents and settings\srajesh\Local Settings\Application Data\{8F63B591-B784-4C35-846E-BD9A6D261665}

2009-05-29 09:24 . 2009-05-29 09:24 -------- d-----w- c:\documents and settings\srajesh\Application Data\Cisco

2009-05-29 09:21 . 2009-05-29 09:21 -------- d-----w- c:\program files\Common Files\Cisco Systems

2009-05-29 09:21 . 2009-05-29 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco

2009-05-29 03:56 . 2009-05-29 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{56D005FF-7D1E-4AB2-AB90-C57391FA9F0D}

2009-05-29 03:56 . 2009-03-30 02:37 2620159 ----a-w- c:\documents and settings\All Users\Application Data\{56D005FF-7D1E-4AB2-AB90-C57391FA9F0D}\DGAgentSetup.exe

2009-05-29 03:56 . 2009-03-30 02:37 171869 ----a-w- c:\documents and settings\All Users\Application Data\{56D005FF-7D1E-4AB2-AB90-C57391FA9F0D}\mia.dll

2009-05-29 03:54 . 2009-05-29 03:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Seven Zip

2009-05-29 01:34 . 2009-05-29 03:57 53248 ----a-w- c:\windows\PSEXESVC.EXE

2009-05-28 05:15 . 2009-03-26 12:01 55856 ----a-w- c:\windows\system32\vnetinst.dll

2009-05-28 05:15 . 2009-03-26 12:01 16560 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys

2009-05-28 05:15 . 2009-03-26 17:27 326192 ----a-w- c:\windows\system32\vmnetdhcp.exe

2009-05-28 05:15 . 2009-03-26 17:27 399920 ----a-w- c:\windows\system32\vmnat.exe

2009-05-28 05:15 . 2009-03-26 17:28 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2009-05-28 05:15 . 2009-03-26 12:01 50736 ----a-w- c:\windows\system32\vmnetbridge.dll

2009-05-28 05:15 . 2009-03-26 12:01 31280 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2009-05-28 05:15 . 2009-03-26 12:01 18736 ----a-w- c:\windows\system32\drivers\vmnet.sys

2009-05-28 05:15 . 2009-03-26 17:27 723504 ----a-w- c:\windows\system32\vnetlib.dll

2009-05-28 05:14 . 2009-03-26 17:28 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2009-05-28 05:14 . 2009-05-28 05:14 -------- d-----w- c:\program files\VMware

2009-05-27 06:39 . 2009-05-27 06:39 -------- d-----w- c:\program files\MSXML 4.0

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-23 14:09 . 2008-01-17 09:42 -------- d-----w- c:\program files\Symantec AntiVirus

2009-06-23 14:09 . 2008-02-01 05:10 -------- d-----w- c:\documents and settings\ccase_albd3\Application Data\VMware

2009-06-23 14:09 . 2008-02-01 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2009-06-23 13:36 . 2007-06-11 17:03 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys

2009-06-23 06:11 . 2008-02-01 05:12 -------- d-----w- c:\documents and settings\srajesh\Application Data\VMware

2009-06-21 08:00 . 2009-06-22 14:27 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2daa06.vdb\ECMSVR32.DLL

2009-06-17 08:00 . 2009-06-22 14:27 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2da203.vdb\ECMSVR32.DLL

2009-06-04 15:22 . 2009-04-14 05:04 86016 ----a-w- c:\documents and settings\srajesh\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x5\specialhook.dll

2009-06-04 15:22 . 2009-04-14 05:04 158720 ----a-w- c:\documents and settings\srajesh\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x5\audiofunc.dll

2009-06-02 06:40 . 2008-01-22 10:30 83264 ----a-w- c:\documents and settings\srajesh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-29 09:21 . 2008-01-17 09:47 -------- d-----w- c:\program files\Cisco Systems

2009-05-28 12:42 . 2008-03-14 12:57 -------- d-----w- c:\program files\TortoiseCVS

2009-05-28 05:16 . 2008-02-01 04:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware

2009-05-06 06:19 . 2009-05-06 06:19 -------- d-----w- c:\documents and settings\srajesh\Application Data\Digsby

2009-04-14 05:04 . 2009-04-14 05:04 3253752 ----a-w- c:\documents and settings\srajesh\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x5\ciscounifiedaddin6x5.exe

2009-04-09 11:32 . 2009-04-09 11:32 89088 ----a-w- c:\documents and settings\srajesh\Application Data\Desktopicon\eBayShortcuts.exe

2009-03-30 02:11 . 2009-03-30 02:11 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-03-30 02:11 . 2009-03-30 02:11 499712 ----a-w- c:\windows\system32\msvcp71.dll

2009-03-26 17:28 . 2009-03-26 17:28 54960 ----a-w- c:\windows\system32\drivers\vmci.sys

2009-03-26 17:28 . 2009-03-26 17:28 857520 ----a-w- c:\windows\system32\drivers\vmx86.sys

2009-03-26 17:28 . 2009-03-26 17:28 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys

2009-03-26 17:27 . 2009-03-26 17:27 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys

2009-03-26 13:41 . 2009-03-26 13:41 248368 ----a-w- c:\windows\system32\vmnc.dll

2009-03-26 12:01 . 2008-09-28 04:34 31280 ----a-w- c:\windows\system32\drivers\vmusb.sys

2008-07-17 04:20 . 2008-01-26 16:34 2025 ----a-w- c:\program files\Altir?

2008-07-17 04:20 . 2008-01-23 13:04 2832 ----a-w- c:\program files\Altir

2005-11-15 10:02 . 2005-11-15 10:02 3638 ----a-r- c:\program files\Common Files\Altiris_Icon.ico

2008-02-07 16:16 . 2008-02-07 16:16 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-02-07 16:16 . 2008-02-07 16:16 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-02-07 16:16 . 2008-02-07 16:16 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-02-07 16:16 . 2008-02-07 16:16 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-02-07 16:16 . 2008-02-07 16:16 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-02-07 16:16 . 2008-02-07 16:16 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-02-07 16:16 . 2008-02-07 16:16 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-03-16 11:57 . 2007-03-16 11:57 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-03-16 11:57 . 2007-03-16 11:57 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-03-16 11:57 . 2007-03-16 11:57 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2007-07-20 07:17 . 2007-07-20 07:17 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-02-07 16:16 . 2008-02-07 16:16 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2008-01-22 12:57 . 2008-01-22 10:29 88 --sh--w- c:\windows\system32\03E2AC0881.sys

2008-01-22 12:57 . 2008-01-22 10:25 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="-" [X]

"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2009-06-23 184320]

"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-10-30 153416]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-26 1282048]

"AeXRSAView"="c:\program files\Altiris\Recovery Solution Agent\AeXRSAView.exe" [2007-05-31 1204224]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-11 151552]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-03-26 64048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"StartMenuFavorites"= 1 (0x1)

"Start_ShowNetConn"= 1 (0x1)

"NoChangeAnimation"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoDevMgrUpdate"= 1 (0x1)

"NoChangeAnimation"= 1 (0x1)

"NoThumbnailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\AMInit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProtectedStorage]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=

"c:\\Program Files\\Klever\\Nothings\\PumpKIN.exe"=

"c:\\WindRiver\\workbench-2.6\\dfw\\0160q\\host\\x86-win32\\bin\\dfwserver.exe"=

"c:\\WindRiver\\jre\\1.5.0_11\\x86-win32\\bin\\javaw.exe"=

"c:\\WindRiver\\workbench-2.6\\foundation\\4.0.11\\x86-win32\\bin\\wtxregd.exe"=

"c:\\WindRiver\\workbench-2.6\\wrwb\\windriver\\eclipse\\plugins\\com.windriver.ide.symbol.win32_2.6.0\\os\\win32\\x86\\sniffcpp.exe"=

"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\Communicator.exe"=

"c:\\Rajesh\\Portable Apps\\Yahoo! Messenger.exe"=

"c:\\Rajesh\\Portable Apps\\Skype\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"43189:TCP"= 43189:TCP:Altiris Recovery Agent

R0 OfmLvDrv;OfmLvDrv;c:\windows\system32\drivers\ofmlvdrv.sys [5/16/2007 2:42 AM 118683]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/22/2009 8:22 PM 28544]

R1 AeXNSAgent32_;AeXNSAgent32_;c:\windows\system32\AeXNSAgent32_.sys [6/8/2007 5:50 PM 24064]

R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [3/23/2005 7:14 PM 9216]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2/5/2009 1:10 AM 100560]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2/5/2009 1:10 AM 41680]

R2 AeXNSAgent32;AeXNSAgent32;c:\windows\system32\AeXNSAgent32.exe [6/8/2007 5:50 PM 458752]

R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [1/17/2008 2:45 AM 33664]

R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [9/12/2006 7:46 PM 35697]

R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [11/10/2008 3:44 AM 53408]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:18 AM 116416]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 10:28 AM 54960]

R2 WindRiverProbe;Wind River Probe;c:\windows\system32\WRProbeSvc.exe [11/10/2008 5:21 AM 245728]

R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [9/12/2006 7:47 PM 1293345]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/26/2009 6:28 AM 101936]

R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [7/24/2006 11:31 AM 508628]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2/5/2009 1:10 AM 87312]

S2 Albd;Atria Location Broker;c:\program files\Rational\ClearCase\bin\albd_server.exe [7/24/2006 10:27 AM 176016]

S3 Altiris Local Recovery Server;Altiris Local Recovery Server;c:\program files\Altiris\Recovery Solution Agent\LocalRSvc.exe [5/31/2007 8:35 AM 856064]

S3 Dgabtpcc;Bluetooth PC Card;c:\windows\system32\drivers\dgabtpcc.sys [6/28/2008 11:04 PM 167571]

S3 Dgal2cap;Bluetooth Bus Driver;c:\windows\system32\drivers\dgaL2Cap.sys [6/28/2008 11:04 PM 54953]

S3 DGANAT;Bluetooth NAT Protocol;c:\windows\system32\drivers\dgaNAT.sys [6/28/2008 11:04 PM 28049]

S3 DgaNdis;Bluetooth Ethernet Adapter;c:\windows\system32\drivers\dgaNdis.sys [6/28/2008 11:04 PM 7439]

S3 DGARFCOM;%DGARFCOM.DeviceDesc%;c:\windows\system32\drivers\dgaRfCom.sys [6/28/2008 11:04 PM 48265]

S3 DGASDP;Bluetooth SDP Protocol;c:\windows\system32\drivers\dgaSdp.sys [6/28/2008 11:04 PM 34017]

S3 DgaSer;%DGASER.DeviceDesc%;c:\windows\system32\drivers\dgaSer.sys [6/28/2008 11:04 PM 44423]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IBHQJRJY

*Deregistered* - ibhqjrjy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

chjtmgsb

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

BHO-{05A12010-E7A9-423E-9F8C-596D9A417FFe} - (no file)

Notify-ccnotify - c:\program files\Rational\bin\ccnotify.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://intranet.broadcom.com/

uInternet Connection Wizard,ShellNext = hxxp://intranet.broadcom.com/

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\VMware\VMware Player\vsocklib.dll

Trusted Zone: broadcom.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-23 07:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

c:\program files\DGAgent\DgService.exe [768] 0x88B39DA0

c:\program files\DGAgent\DgAgent.exe [1740] 0x88BEB020

c:\program files\DGAgent\DgPrompt.exe [3268] 0x886A9B08

c:\program files\DGAgent\DgScan.exe [2780] 0x8879CDA0

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\DGAPIMon.sys 115712 bytes executable

c:\windows\system32\drivers\DGBUSMon.sys 42368 bytes executable

c:\windows\system32\drivers\DGCotMan.sys 116352 bytes executable

c:\windows\system32\drivers\dgdmk.sys 289152 bytes executable

c:\windows\system32\drivers\dgdmkl.sys 290432 bytes executable

c:\windows\system32\drivers\dgds.sys 166656 bytes executable

c:\windows\system32\drivers\dgdsl.sys 167552 bytes executable

c:\windows\system32\drivers\dgdt.sys 132736 bytes executable

c:\windows\system32\drivers\dgdtl.sys 134784 bytes executable

c:\windows\system32\drivers\dgfiltr.sys 62208 bytes executable

c:\windows\system32\drivers\dgfsmon.SYS 91264 bytes executable

c:\windows\system32\drivers\DGKPMail.sys 33024 bytes executable

c:\windows\system32\drivers\DGMaster.sys 581376 bytes executable

c:\windows\system32\drivers\dgrec.sys 34560 bytes executable

c:\windows\system32\drivers\DGRule.sys 97792 bytes executable

c:\windows\system32\drivers\DGTDIMon.sys 127360 bytes executable

c:\windows\system32\drivers\DGUSBMon.sys 51456 bytes executable

c:\windows\system32\DgApi.dll 638976 bytes executable

c:\windows\system32\DGShlExt.dll 126976 bytes executable

scan completed successfully

hidden files: 19

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGAPIMon]

"ImagePath"="\??\c:\windows\System32\Drivers\DGAPIMon.SYS"

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGBusMon]

"ImagePath"="System32\Drivers\DGBusMon.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGCOTMAN]

"ImagePath"="\??\c:\windows\System32\Drivers\DGCOTMAN.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGDmk]

"ImagePath"="System32\Drivers\DgDmk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGDmkl]

"ImagePath"="System32\Drivers\DgDmkl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGDS]

"ImagePath"="System32\Drivers\DgDs.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGDSL]

"ImagePath"="System32\Drivers\DgDsl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGDT]

"ImagePath"="System32\Drivers\DgDt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGDTL]

"ImagePath"="System32\Drivers\DgDtl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGFILTR]

"ImagePath"="System32\Drivers\DgFiltr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGFSMon]

"ImagePath"="\??\c:\windows\System32\Drivers\DGFSMon.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGKPMail]

"ImagePath"="\??\c:\windows\System32\Drivers\DGKPMail.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGMaster]

"ImagePath"="System32\Drivers\DGMaster.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGREC]

"ImagePath"="System32\Drivers\DgRec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGRoot]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGRule]

"ImagePath"="\??\c:\windows\System32\Drivers\DGRule.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGScan]

"ImagePath"="\"c:\program files\DGAgent\DgScan.exe\" -s"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGService]

"ImagePath"="\"c:\program files\DGAgent\DgService.exe\" -s"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGTDIMon]

"ImagePath"="\??\c:\windows\System32\Drivers\DGTDIMon.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DGUSBMon]

"ImagePath"="\??\c:\windows\System32\Drivers\DGUSBMon.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]

"ImagePath"="-"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1860)

c:\program files\Rational\ClearCase\bin\ccasenp.dll

c:\program files\Rational\ClearCase\bin\LIBATRIANT.dll

- - - - - - - > 'lsass.exe'(1916)

c:\program files\Rational\ClearCase\bin\ccasenp.dll

c:\windows\System32\BCMLogon.dll

c:\program files\Rational\ClearCase\bin\LIBATRIANT.dll

- - - - - - - > 'explorer.exe'(4556)

c:\program files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AE_MailSensor_Plugin.dll

c:\program files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AME_SMTPSensor.dll

c:\program files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AME_OutlookSensor.dll

c:\program files\TortoiseCVS\TortoiseShell.dll

c:\program files\Windows Media Player\wmpband.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Altiris\AClient\ACLIENT.EXE

c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe

c:\program files\Altiris\Recovery Solution Agent\AeXRSAgt.exe

c:\program files\Rational\ClearCase\bin\cccredmgr.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Dell\OpenManage\Client\Iap.exe

c:\program files\Rational\ClearCase\bin\lockmgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\vmnat.exe

c:\windows\system32\vmnetdhcp.exe

c:\program files\VMware\VMware Player\vmware-authd.exe

c:\windows\system32\rundll32.exe

c:\program files\Altiris\Altiris Agent\AeXAgentUIHost.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

.

**************************************************************************

.

Completion time: 2009-06-23 7:12 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-23 14:12

Pre-Run: 11,654,643,712 bytes free

Post-Run: 11,524,907,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

405

Link to post
Share on other sites

  • Staff

Hi,

You need to reinstall your Norton anyway since it looks like some startup entries got corrupted/disabled as well.

Combofix could delete the rootkit that prevented malwarebytes detection.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Glad I could help. :P

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.