Jump to content

Ran Combo-Fix but still unable to open antivirus program

akhanni

By akhanni
in Resolved Malware Removal Logs

 Share

Recommended Posts

akhanni

akhanni

Posted
Posted

I read the posts of one of the member of forum here and download Combo-Fix and ran it. I think it removed quite a few foreign processes.

Than I was able to run MalwareBytes and antivirus program seems to be catching and removing viruses.

By the Malware Bytes caught quite a few viruses and removed them.

Problem : But I am still unable to open the Antivirus program to schedule some scans. Any help appreciated !

See below log file created by Combo-Fix

ComboFix 09-08-20.07 - azniazi 08/21/2009 20:34.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1301 [GMT -4:00]

Running from: c:\documents and settings\azniazi\Desktop\Combo-Fix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Protection Agent 5.1 *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Internet Explorer.lnk

c:\program files\INSTALL.LOG

c:\windows\Installer\21ab39.msp

c:\windows\Installer\21ab3a.msp

c:\windows\Installer\21ab3b.msp

c:\windows\Installer\21ab3c.msp

c:\windows\Installer\21ab3d.msp

c:\windows\Installer\21ab3e.msp

c:\windows\Installer\21ab3f.msp

c:\windows\Installer\21ab40.msp

c:\windows\Installer\21ab41.msp

c:\windows\msa.exe

c:\windows\ppp3.dat

c:\windows\ppp4.dat

c:\windows\run.log

c:\windows\system32\.log

c:\windows\system32\bennuar.old

c:\windows\system32\bincd32.dat

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk

c:\windows\system32\dddesot.dll

c:\windows\system32\desot.exe

c:\windows\system32\drivers\kbiwkmyrrrprps.sys

c:\windows\system32\drivers\UAChhvufcxtcd.sys

c:\windows\system32\kbiwkmdqekvjkf.dll

c:\windows\system32\kbiwkmlaegjsrq.dll

c:\windows\system32\kbiwkmovtkqbbs.dat

c:\windows\system32\kbiwkmytbsaplr.dat

c:\windows\system32\mdm.exe

c:\windows\system32\sonhelp.htm

c:\windows\system32\sysnet.dat

c:\windows\system32\UACbvhkctumwe.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACltabuxnqvd.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_kbiwkmumsdotvq

-------\Legacy_kbiwkmumsdotvq

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))

.

2009-08-21 06:48 . 2009-08-21 06:48 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-21 06:48 . 2009-08-21 06:48 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2009-08-21 04:38 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-21 04:38 . 2009-08-21 07:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-21 04:38 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-21 04:37 . 2009-08-21 04:37 -------- d--h--w- c:\windows\PIF

2009-08-21 02:29 . 2009-08-21 02:30 -------- d-----w- C:\bc657dec8cc4839b62c633a09a

2009-08-20 21:56 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-08-20 21:30 . 2009-08-21 23:55 74240 ----a-w- c:\windows\system32\uacbbr.dll

2009-08-20 17:30 . 2009-08-20 17:30 19968 ----a-w- c:\windows\system32\uacserf.dll

2009-08-20 17:30 . 2009-08-20 17:30 30208 ----a-w- c:\windows\system32\uacrem.dll

2009-08-20 17:30 . 2009-08-20 17:30 174 ----a-w- c:\windows\system32\UACsbqhossxgq.dat

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\program files\QuickTime

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Apple

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\program files\Apple Software Update

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Apple Computer

2009-08-10 18:05 . 2008-01-24 10:34 32864 ----a-w- c:\windows\system32\dsgrab_01ca19e52df8d8ae.dll

2009-08-10 18:05 . 2008-01-24 10:34 10848 ----a-w- c:\windows\system32\drivers\dsload.sys

2009-08-10 18:05 . 2009-08-10 18:05 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Oracle

2009-08-10 18:05 . 2009-08-10 18:05 -------- d-----w- c:\program files\Common Files\Oracle

2009-08-08 17:37 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-08-08 17:37 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-08-08 17:37 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2009-08-08 17:37 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-08-08 16:23 . 2009-08-08 16:23 -------- d-----w- c:\program files\honestech

2009-08-08 16:21 . 2006-11-15 21:31 18754 ----a-w- c:\windows\system32\drivers\StkASam.sys

2009-08-08 16:21 . 2006-06-10 02:30 61440 ----a-w- c:\windows\StkATVAp.exe

2009-08-08 16:21 . 2006-05-24 03:49 24576 ----a-w- c:\windows\system32\StkASv2K.exe

2009-08-08 16:21 . 2006-05-24 03:48 45056 ----a-w- c:\windows\system32\StkAVFW.dll

2009-08-08 16:21 . 2006-05-24 03:48 24576 ----a-w- c:\windows\system32\StkAUSD.dll

2009-08-08 16:21 . 2006-05-24 03:48 24576 ----a-w- c:\windows\system32\StkASSrv.dll

2009-08-08 16:20 . 2006-11-15 21:32 242139 ----a-w- c:\windows\system32\drivers\StkAMini.sys

2009-08-08 16:20 . 2006-11-15 21:32 243212 ----a-w- c:\windows\system32\drivers\StkACamd.sys

2009-08-08 16:20 . 2006-11-15 21:32 653988 ----a-w- c:\windows\system32\drivers\StkAPin.sys

2009-08-08 16:20 . 2006-06-27 22:27 4772 ----a-w- c:\windows\system32\drivers\StkScan.sys

2009-08-08 16:20 . 2006-05-24 03:47 106496 ----a-w- c:\windows\Stk1150.exe

2009-08-08 16:20 . 2006-02-09 22:07 10479603 ----a-w- c:\windows\system32\drivers\StkAPipe.sys

2009-08-08 16:20 . 2009-08-08 16:24 -------- d-----w- c:\program files\honestech VHS to DVD 3.0 Deluxe

2009-08-08 16:19 . 2009-08-08 16:19 -------- d-----w- c:\documents and settings\azniazi\Application Data\InstallShield

2009-08-08 15:40 . 2008-04-14 09:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2009-08-08 15:40 . 2008-04-14 09:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2009-08-06 19:04 . 2009-08-06 19:04 34 ----a-w- c:\windows\system32\lockwait.dat

2009-08-06 18:57 . 2009-08-06 20:48 -------- d-----w- C:\oracle

2009-08-06 18:51 . 2009-08-07 17:03 -------- d-----w- c:\program files\Apache Group

2009-08-06 17:18 . 2009-08-06 17:18 -------- d-----w- c:\program files\Microsoft Visual Studio .NET

2009-08-06 17:18 . 2009-08-06 17:18 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Microsoft Help

2009-08-06 17:18 . 2009-08-06 17:18 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help

2009-08-06 17:17 . 2009-08-06 18:30 -------- d-----w- C:\oraclexe

2009-08-04 19:53 . 2009-08-04 19:53 1919 ----a-w- c:\documents and settings\azniazi\Application Data\.purple\certificates\x509\tls_peers\stbeehive.oracle.com

2009-07-31 20:50 . 2009-07-31 20:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\iPass

2009-07-31 20:50 . 2009-07-31 20:50 356352 ----a-w- c:\windows\system32\iPassI5Installer.exe

2009-07-31 20:50 . 2009-07-31 20:50 21393 ----a-w- c:\windows\system32\drivers\iPassP.sys

2009-07-31 20:50 . 2009-07-31 20:50 -------- d-----w- c:\program files\iPass

2009-07-31 20:49 . 2009-07-31 20:49 -------- d-----w- c:\program files\iPassdoc3.x

2009-07-31 14:18 . 2009-07-31 14:18 -------- d---a-w- c:\documents and settings\azniazi\Application Data\.purple.bak.1

2009-07-28 20:54 . 2005-10-28 17:01 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys

2009-07-28 20:54 . 2005-11-16 05:30 765952 ----a-r- c:\windows\system32\hpptpml3.dll

2009-07-28 20:54 . 2005-06-21 02:48 266240 ----a-r- c:\windows\system32\hppasc01.dll

2009-07-28 20:54 . 2004-11-15 15:54 278528 ----a-r- c:\windows\system32\hpgwiamd.dll

2009-07-28 20:54 . 2005-10-04 17:17 102400 ----a-r- c:\windows\system32\hpfxbulk.dll

2009-07-28 20:52 . 2009-07-28 21:03 53631 ----a-w- c:\windows\hppins02.dat

2009-07-28 20:52 . 2006-01-25 08:03 2037 ------w- c:\windows\hppmdl02.dat

2009-07-28 20:13 . 2005-11-24 21:25 208896 ----a-w- c:\windows\system32\HPPAPR01.DLL

2009-07-28 20:13 . 2005-09-13 16:50 508 ----a-w- c:\windows\system32\hppapr01.dat

2009-07-28 20:04 . 2009-07-28 20:04 130 ----a-w- c:\documents and settings\azniazi\Local Settings\Application Data\fusioncache.dat

2009-07-28 20:03 . 2009-07-28 20:03 -------- d-----w- c:\documents and settings\azniazi\Application Data\HP

2009-07-28 20:03 . 2009-07-28 20:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Hewlett-Packard

2009-07-28 20:00 . 2009-08-22 00:39 1785 ----a-w- c:\windows\bthservsdp.dat

2009-07-28 19:59 . 2009-07-28 19:59 -------- d-----w- c:\program files\Hewlett-Packard

2009-07-28 19:58 . 2009-07-28 19:58 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2009-07-28 19:57 . 2005-10-23 00:47 69632 ----a-w- c:\windows\system32\HPZipm12.exe

2009-07-28 19:57 . 2005-10-23 00:46 65536 ----a-w- c:\windows\system32\HPZinw12.exe

2009-07-28 19:57 . 2005-10-21 17:13 204800 ----a-w- c:\windows\system32\HPZipr12.dll

2009-07-28 19:57 . 2005-10-21 17:03 278584 ----a-w- c:\windows\system32\HPZidr12.dll

2009-07-28 19:57 . 2005-10-21 16:50 57344 ----a-w- c:\windows\system32\HPZisn12.dll

2009-07-28 19:57 . 2005-10-21 16:49 94208 ----a-w- c:\windows\system32\HPZipt12.dll

2009-07-28 19:57 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe

2009-07-28 19:42 . 2009-07-28 20:58 -------- d-----w- c:\program files\HP

2009-07-28 19:37 . 2009-07-28 19:37 -------- d-----w- c:\program files\Common Files\SWF Studio

2009-07-27 23:37 . 2009-08-18 19:21 -------- d-----w- C:\azeem-temp

2009-07-27 20:40 . 2005-10-29 05:01 45056 ----a-w- c:\windows\system32\HPPAPTS0.DLL

2009-07-27 20:40 . 2005-10-29 05:01 36864 ----a-w- c:\windows\system32\HPPASNM0.DLL

2009-07-27 20:40 . 2005-10-29 05:01 36864 ----a-w- c:\windows\system32\HPPAPML0.DLL

2009-07-27 20:40 . 2005-10-29 05:01 36864 ----a-w- c:\windows\system32\HPPADT40.DLL

2009-07-27 20:40 . 2005-10-29 05:01 32768 ----a-w- c:\windows\system32\HPPAMON0.DLL

2009-07-27 16:44 . 2001-08-17 17:47 8704 -c--a-w- c:\windows\system32\dllcache\dot4scan.sys

2009-07-27 16:44 . 2001-08-17 17:47 8704 ----a-w- c:\windows\system32\drivers\Dot4Scan.sys

2009-07-27 16:44 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2009-07-27 16:44 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2009-07-27 16:41 . 2005-10-21 23:58 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys

2009-07-27 16:38 . 2008-04-14 04:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-07-27 16:38 . 2008-04-14 04:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2009-07-27 16:37 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2009-07-27 16:37 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2009-07-27 16:37 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2009-07-27 16:37 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-22 00:43 . 2008-08-27 04:00 -------- d-----w- c:\program files\Symantec AntiVirus

2009-08-21 16:49 . 2009-08-21 16:49 43736 ------w- c:\documents and settings\azniazi\cnsload_1250873381421.tmp

2009-08-08 16:20 . 2008-08-26 20:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-06 20:32 . 2009-07-22 17:32 -------- d-----w- c:\documents and settings\azniazi\Application Data\.purple

2009-08-06 17:15 . 2009-07-22 20:24 -------- d-----w- c:\program files\Common Files\InstallShield

2009-08-05 16:50 . 2008-08-27 03:52 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-31 14:18 . 2008-08-27 17:15 -------- d-----w- c:\program files\Pidgin

2009-07-28 20:02 . 2008-08-26 14:30 62424 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-22 20:24 . 2008-08-27 04:07 -------- d-----w- c:\program files\MigrationAssistant

2009-07-22 20:24 . 2009-07-22 20:24 -------- d-----w- c:\program files\Apoint

2009-07-22 20:24 . 2009-07-22 20:24 -------- d-----w- c:\program files\Dell

2009-07-22 20:17 . 2009-07-22 20:17 512 ----a-w- C:\OracleOB.dat

2009-07-22 19:42 . 2009-07-22 19:42 -------- d-----w- c:\documents and settings\azniazi\Application Data\Malwarebytes

2009-07-22 19:42 . 2009-07-22 19:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes

2009-07-22 19:41 . 2009-07-22 19:41 -------- d-----w- c:\program files\MWSnap

2009-07-22 19:40 . 2009-07-22 19:40 -------- d-----w- c:\documents and settings\azniazi\Application Data\Helios

2009-07-22 19:40 . 2009-07-22 19:40 -------- d-----w- c:\program files\TextPad 5

2009-07-22 19:37 . 2009-07-22 19:37 0 ----a-w- c:\windows\nsreg.dat

2009-07-22 18:11 . 2009-07-22 18:11 -------- d-----w- c:\program files\Microsoft.NET

2009-07-22 17:28 . 2009-07-22 17:28 -------- d-----w- c:\documents and settings\Admin\Application Data\.purple

2009-07-22 17:27 . 2008-08-26 19:14 -------- d-----w- c:\program files\Desktop Tools

2009-07-22 17:05 . 2009-07-22 17:05 -------- d-----w- c:\program files\CONEXANT

2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2008-04-14 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-26 16:50 . 2008-04-14 12:00 666624 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 16:50 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-25 08:25 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2008-04-14 12:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2008-04-14 12:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2008-04-14 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2008-04-14 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2008-08-26 12:40 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2008-04-14 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2008-04-14 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-07-24 04:05 . 2008-08-26 22:58 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-07-24 04:05 . 2008-08-26 22:58 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-07-24 04:05 . 2008-08-26 22:58 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-07-24 04:05 . 2008-08-26 22:58 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-07-24 04:05 . 2008-08-26 22:58 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]

"TweakAutomaticUpdates"="c:\windows\orclobi\gdswsuspatch_soon.exe" [2005-12-22 126887]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]

"ntpgds"="c:\windows\orclobi\synctime.exe" [2003-04-07 110993]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"AutoProfileRepair"="c:\program files\Oracle\Outlook Connector\profilerepair.exe" [2007-09-21 73728]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 45056]

"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2005-09-07 36864]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FirefoxConfig"="c:\windows\orclobi\config\openofficeconfig.exe" [2008-04-09 1114425]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

Monitor Apache Servers.lnk - c:\program files\Apache Group\Apache2\bin\ApacheMonitor.exe [2008-1-17 41042]

Oracle Drive.lnk - c:\program files\Oracle\ODrive\odrive.exe [2006-9-22 73728]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck msln\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R1 TDFSD;TDFSD;c:\windows\system32\drivers\tdfsd.sys [9/22/2006 1:41 PM 938592]

R2 IdcAdminService idcr_admin;IDC Content Admin Service idcr_admin;c:\oracle\ecm\urm\admin\bin\IdcAdminNT.exe [8/6/2009 5:10 PM 110592]

R2 IdcAdminService ucm_admin;IDC Content Admin Service ucm_admin;c:\oracle\ecm\ucm\admin\bin\IdcAdminNT.exe [8/6/2009 4:49 PM 110592]

R2 MyDesktopWindows;MyDesktopService;c:\windows\ORCLOBI\MyDesktop\MyDesktopService.exe [6/26/2009 2:11 AM 998400]

R2 ocautoupds;Oracle Connector Automatic Updates Service;c:\program files\Oracle\Outlook Connector\ocautoupds.exe [9/21/2007 12:00 PM 69632]

R2 OdService;ODrive Service;c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager --> c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager [?]

R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]

R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 12:49 AM 204800]

R2 PMEMNT;PMEMNT;c:\windows\pmemnt.sys [7/22/2009 1:28 PM 7012]

R2 QOSMyDesktop;QOS MyDesktop;c:\windows\ORCLOBI\MyDesktop\MyDesktopQOS.exe [12/4/2008 3:07 AM 470016]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/22/2009 1:51 PM 101936]

S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]

S2 IdcContentService idcr;IDC Content Service idcr;c:\oracle\ecm\urm\bin\IdcServerNT.exe [8/6/2009 5:10 PM 110592]

S2 IdcContentService ucm;IDC Content Service ucm;c:\oracle\ecm\ucm\bin\IdcServerNT.exe [8/6/2009 4:49 PM 110592]

S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

S4 SysGuard;SysGuard;c:\windows\system32\drivers\Sysguard.sys [8/27/2008 12:12 AM 44544]

UnknownUnknown dsload;dsload; [x]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-CalProfile - c:\windows\orclobi\config\cc1012cfg.exe

HKU-Default-RunOnce-ThunderbirdConfig - c:\windows\orclobi\config\tbirdconfig.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.oracle.com/

uInternet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.o

raclecorp.com;*.oracleportal.com;<local>

Trusted Zone: oraclecorp.com\global-service

DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab

FF - ProfilePath - c:\docume~1\azniazi\APPLIC~1\Mozilla\Firefox\Profiles\d2epvq8g.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.oracle.com

FF - prefs.js: network.proxy.type - 2

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-21 20:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4196)

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\SYSTEM32\TDShell.DLL

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec\SPA\Smc.exe

c:\program files\Symantec\SPA\SNAC.EXE

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\windows\system32\scardsvr.exe

c:\program files\Apache Group\Apache2\bin\Apache.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Apache Group\Apache2\bin\Apache.exe

c:\oracle\ecm\urm\shared\os\win32\jdk1.5.0_11\bin\java.exe

c:\oracle\ecm\ucm\shared\os\win32\jdk1.5.0_11\bin\java.exe

c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\Oracle\ODrive\XfsSvcCon.exe

c:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\StkASv2K.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\rundll32.exe

c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Symantec\SPA\SmcGui.exe

c:\program files\Oracle\ODrive\ODFWAgent.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-22 20:47 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-22 00:46

Pre-Run: 54,105,317,376 bytes free

Post-Run: 54,153,854,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

372 --- E O F --- 2009-08-06 15:57

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi akhanni and welcome to Malwarebytes.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

File::

c:\windows\system32\drivers\Sysguard.sys

c:\windows\system32\uacbbr.dll

c:\windows\system32\uacserf.dll

c:\windows\system32\uacrem.dll

c:\windows\system32\UACsbqhossxgq.dat

Driver::

SysGuard

KILLALL::

RegLock::

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Do you pay for Symantec? I can recommend great free antivirus programs for you if you'd like.

-screen317

Link to post
Share on other sites
akhanni

akhanni

Posted
  • Author
Posted
Hi akhanni and welcome to Malwarebytes.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Do you pay for Symantec? I can recommend great free antivirus programs for you if you'd like.

-screen317

Hello, Thanks bunch for your reply. I was actually able to fix the issue by changing the security permission on Antivirus program from "Everyone" to "Administrator".

Link to post
Share on other sites
akhanni

akhanni

Posted
  • Author
Posted
Please follow the instructions I posted anyway. Many infected files are still present, even if you don't feel immediate symptoms.

Okay. Let me know what you think.

COMBO FIX LOG:

ComboFix 09-08-26.07 - azniazi 08/27/2009 11:52.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.899 [GMT -4:00]

Running from: c:\documents and settings\azniazi\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\azniazi\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Protection Agent 5.1 *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::

"c:\windows\system32\drivers\Sysguard.sys"

"c:\windows\system32\uacbbr.dll"

"c:\windows\system32\uacrem.dll"

"c:\windows\system32\UACsbqhossxgq.dat"

"c:\windows\system32\uacserf.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Downloaded Program Files.\cnsload-3.0.3.406.dll

c:\windows\Downloaded Program Files.\cnsload.inf

c:\windows\system32\drivers\Sysguard.sys

c:\windows\system32\uacserf.dll

c:\windows\Downloaded Program Files.\cnsload-3.0.3.406.dll . . . . failed to delete

c:\windows\Downloaded Program Files.\cnsload.inf . . . . failed to delete

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SYSGUARD

-------\Service_SysGuard

((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 )))))))))))))))))))))))))))))))

.

2009-08-24 19:10 . 2009-08-24 19:10 1713 ----a-w- c:\documents and settings\azniazi\Application Data\.purple\certificates\x509\tls_peers\stbeehive.oracle.com

2009-08-22 01:47 . 2009-08-22 01:47 1174 ----a-w- c:\windows\mozver.dat

2009-08-21 06:48 . 2009-08-22 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-21 04:38 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-21 04:38 . 2009-08-21 07:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-21 04:38 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-21 04:37 . 2009-08-21 04:37 -------- d--h--w- c:\windows\PIF

2009-08-21 02:29 . 2009-08-21 02:30 -------- d-----w- C:\bc657dec8cc4839b62c633a09a

2009-08-20 21:56 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-08-20 14:55 . 2009-08-20 14:55 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2622.vdb\NAVEX15.SYS

2009-08-20 14:55 . 2009-08-20 14:55 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2622.vdb\NAVEX32A.DLL

2009-08-20 14:55 . 2009-08-20 14:55 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2622.vdb\NAVENG.SYS

2009-08-20 14:55 . 2009-08-20 14:55 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2622.vdb\EECTRL.SYS

2009-08-20 14:55 . 2009-08-20 14:55 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2622.vdb\ECMSVR32.DLL

2009-08-20 14:55 . 2009-08-20 14:55 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2622.vdb\CCERASER.DLL

2009-08-20 14:55 . 2009-08-20 14:55 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2622.vdb\NAVENG32.DLL

2009-08-20 14:55 . 2009-08-20 14:55 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e2622.vdb\ERASER.SYS

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\program files\QuickTime

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Apple

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\program files\Apple Software Update

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Apple Computer

2009-08-10 18:05 . 2008-01-24 10:34 32864 ----a-w- c:\windows\system32\dsgrab_01ca19e52df8d8ae.dll

2009-08-10 18:05 . 2008-01-24 10:34 10848 ----a-w- c:\windows\system32\drivers\dsload.sys

2009-08-10 18:05 . 2009-08-10 18:05 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Oracle

2009-08-10 18:05 . 2009-08-10 18:05 -------- d-----w- c:\program files\Common Files\Oracle

2009-08-08 17:37 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-08-08 17:37 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-08-08 17:37 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2009-08-08 17:37 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-08-08 16:23 . 2009-08-08 16:23 -------- d-----w- c:\program files\honestech

2009-08-08 16:21 . 2006-11-15 21:31 18754 ----a-w- c:\windows\system32\drivers\StkASam.sys

2009-08-08 16:21 . 2006-06-10 02:30 61440 ----a-w- c:\windows\StkATVAp.exe

2009-08-08 16:21 . 2006-05-24 03:49 24576 ----a-w- c:\windows\system32\StkASv2K.exe

2009-08-08 16:21 . 2006-05-24 03:48 45056 ----a-w- c:\windows\system32\StkAVFW.dll

2009-08-08 16:21 . 2006-05-24 03:48 24576 ----a-w- c:\windows\system32\StkAUSD.dll

2009-08-08 16:21 . 2006-05-24 03:48 24576 ----a-w- c:\windows\system32\StkASSrv.dll

2009-08-08 16:20 . 2006-11-15 21:32 242139 ----a-w- c:\windows\system32\drivers\StkAMini.sys

2009-08-08 16:20 . 2006-11-15 21:32 243212 ----a-w- c:\windows\system32\drivers\StkACamd.sys

2009-08-08 16:20 . 2006-11-15 21:32 653988 ----a-w- c:\windows\system32\drivers\StkAPin.sys

2009-08-08 16:20 . 2006-06-27 22:27 4772 ----a-w- c:\windows\system32\drivers\StkScan.sys

2009-08-08 16:20 . 2006-05-24 03:47 106496 ----a-w- c:\windows\Stk1150.exe

2009-08-08 16:20 . 2006-02-09 22:07 10479603 ----a-w- c:\windows\system32\drivers\StkAPipe.sys

2009-08-08 16:20 . 2009-08-08 16:24 -------- d-----w- c:\program files\honestech VHS to DVD 3.0 Deluxe

2009-08-08 16:19 . 2009-08-08 16:19 -------- d-----w- c:\documents and settings\azniazi\Application Data\InstallShield

2009-08-08 15:40 . 2008-04-14 09:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2009-08-08 15:40 . 2008-04-14 09:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2009-08-06 19:04 . 2009-08-06 19:04 34 ----a-w- c:\windows\system32\lockwait.dat

2009-08-06 18:57 . 2009-08-06 20:48 -------- d-----w- C:\oracle

2009-08-06 18:51 . 2009-08-07 17:03 -------- d-----w- c:\program files\Apache Group

2009-08-06 17:18 . 2009-08-06 17:18 -------- d-----w- c:\program files\Microsoft Visual Studio .NET

2009-08-06 17:18 . 2009-08-06 17:18 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Microsoft Help

2009-08-06 17:18 . 2009-08-06 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-06 17:17 . 2009-08-06 18:30 -------- d-----w- C:\oraclexe

2009-07-31 20:50 . 2009-07-31 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\iPass

2009-07-31 20:50 . 2009-07-31 20:50 356352 ----a-w- c:\windows\system32\iPassI5Installer.exe

2009-07-31 20:50 . 2009-07-31 20:50 21393 ----a-w- c:\windows\system32\drivers\iPassP.sys

2009-07-31 20:50 . 2009-07-31 20:50 -------- d-----w- c:\program files\iPass

2009-07-31 20:49 . 2009-07-31 20:49 -------- d-----w- c:\program files\iPassdoc3.x

2009-07-31 14:18 . 2009-07-31 14:18 -------- d---a-w- c:\documents and settings\azniazi\Application Data\.purple.bak.1

2009-07-28 20:54 . 2005-10-28 17:01 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys

2009-07-28 20:54 . 2005-11-16 05:30 765952 ----a-r- c:\windows\system32\hpptpml3.dll

2009-07-28 20:54 . 2005-06-21 02:48 266240 ----a-r- c:\windows\system32\hppasc01.dll

2009-07-28 20:54 . 2004-11-15 15:54 278528 ----a-r- c:\windows\system32\hpgwiamd.dll

2009-07-28 20:54 . 2005-10-04 17:17 102400 ----a-r- c:\windows\system32\hpfxbulk.dll

2009-07-28 20:52 . 2009-07-28 21:03 53631 ----a-w- c:\windows\hppins02.dat

2009-07-28 20:52 . 2006-01-25 08:03 2037 ------w- c:\windows\hppmdl02.dat

2009-07-28 20:13 . 2005-11-24 21:25 208896 ----a-w- c:\windows\system32\HPPAPR01.DLL

2009-07-28 20:13 . 2005-09-13 16:50 508 ----a-w- c:\windows\system32\hppapr01.dat

2009-07-28 20:04 . 2009-07-28 20:04 130 ----a-w- c:\documents and settings\azniazi\Local Settings\Application Data\fusioncache.dat

2009-07-28 20:03 . 2009-07-28 20:03 -------- d-----w- c:\documents and settings\azniazi\Application Data\HP

2009-07-28 20:03 . 2009-07-28 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard

2009-07-28 20:00 . 2009-08-27 15:56 1785 ----a-w- c:\windows\bthservsdp.dat

2009-07-28 19:59 . 2009-07-28 19:59 -------- d-----w- c:\program files\Hewlett-Packard

2009-07-28 19:58 . 2009-07-28 19:58 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2009-07-28 19:57 . 2005-10-23 00:47 69632 ----a-w- c:\windows\system32\HPZipm12.exe

2009-07-28 19:57 . 2005-10-23 00:46 65536 ----a-w- c:\windows\system32\HPZinw12.exe

2009-07-28 19:57 . 2005-10-21 17:13 204800 ----a-w- c:\windows\system32\HPZipr12.dll

2009-07-28 19:57 . 2005-10-21 17:03 278584 ----a-w- c:\windows\system32\HPZidr12.dll

2009-07-28 19:57 . 2005-10-21 16:50 57344 ----a-w- c:\windows\system32\HPZisn12.dll

2009-07-28 19:57 . 2005-10-21 16:49 94208 ----a-w- c:\windows\system32\HPZipt12.dll

2009-07-28 19:57 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe

2009-07-28 19:42 . 2009-07-28 20:58 -------- d-----w- c:\program files\HP

2009-07-28 19:37 . 2009-07-28 19:37 -------- d-----w- c:\program files\Common Files\SWF Studio

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-27 16:00 . 2008-08-27 04:00 -------- d-----w- c:\program files\Symantec AntiVirus

2009-08-24 20:03 . 2009-07-22 17:32 -------- d-----w- c:\documents and settings\azniazi\Application Data\.purple

2009-08-21 16:49 . 2009-08-21 16:49 43736 ------w- c:\documents and settings\azniazi\cnsload_1250873381421.tmp

2009-08-08 16:20 . 2008-08-26 20:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-06 17:15 . 2009-07-22 20:24 -------- d-----w- c:\program files\Common Files\InstallShield

2009-08-05 16:50 . 2008-08-27 03:52 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-31 14:18 . 2008-08-27 17:15 -------- d-----w- c:\program files\Pidgin

2009-07-28 20:02 . 2008-08-26 14:30 62424 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-22 20:24 . 2008-08-27 04:07 -------- d-----w- c:\program files\MigrationAssistant

2009-07-22 20:24 . 2009-07-22 20:24 -------- d-----w- c:\program files\Apoint

2009-07-22 20:24 . 2009-07-22 20:24 -------- d-----w- c:\program files\Dell

2009-07-22 20:17 . 2009-07-22 20:17 512 ----a-w- C:\OracleOB.dat

2009-07-22 19:42 . 2009-07-22 19:42 -------- d-----w- c:\documents and settings\azniazi\Application Data\Malwarebytes

2009-07-22 19:42 . 2009-07-22 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-22 19:41 . 2009-07-22 19:41 -------- d-----w- c:\program files\MWSnap

2009-07-22 19:40 . 2009-07-22 19:40 -------- d-----w- c:\documents and settings\azniazi\Application Data\Helios

2009-07-22 19:40 . 2009-07-22 19:40 -------- d-----w- c:\program files\TextPad 5

2009-07-22 19:37 . 2009-07-22 19:37 0 ----a-w- c:\windows\nsreg.dat

2009-07-22 18:11 . 2009-07-22 18:11 -------- d-----w- c:\program files\Microsoft.NET

2009-07-22 17:28 . 2009-07-22 17:28 -------- d-----w- c:\documents and settings\Admin\Application Data\.purple

2009-07-22 17:27 . 2008-08-26 19:14 -------- d-----w- c:\program files\Desktop Tools

2009-07-22 17:05 . 2009-07-22 17:05 -------- d-----w- c:\program files\CONEXANT

2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2008-04-14 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-26 16:50 . 2008-04-14 12:00 666624 ------w- c:\windows\system32\wininet.dll

2009-06-26 16:50 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-25 08:25 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2008-04-14 12:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2008-04-14 12:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2008-04-14 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2008-04-14 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2008-08-26 12:40 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2008-04-14 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2008-04-14 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-07-24 04:05 . 2008-08-26 22:58 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-07-24 04:05 . 2008-08-26 22:58 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-07-24 04:05 . 2008-08-26 22:58 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-07-24 04:05 . 2008-08-26 22:58 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-07-24 04:05 . 2008-08-26 22:58 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-22_00.43.13 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-14 12:00 . 2009-08-20 22:45 63624 c:\windows\system32\perfc009.dat

+ 2008-04-14 12:00 . 2009-08-22 00:46 63624 c:\windows\system32\perfc009.dat

+ 2008-04-14 12:00 . 2009-08-22 00:46 405956 c:\windows\system32\perfh009.dat

- 2008-04-14 12:00 . 2009-08-20 22:45 405956 c:\windows\system32\perfh009.dat

+ 2009-08-22 01:47 . 2009-07-18 00:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

+ 2009-08-12 21:07 . 2009-08-24 19:08 416170 c:\windows\ORCLOBI\MyDesktop\script.dat

+ 2009-08-22 01:47 . 2009-07-18 00:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]

"TweakAutomaticUpdates"="c:\windows\orclobi\gdswsuspatch_soon.exe" [2005-12-22 126887]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]

"ntpgds"="c:\windows\orclobi\synctime.exe" [2003-04-07 110993]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"AutoProfileRepair"="c:\program files\Oracle\Outlook Connector\profilerepair.exe" [2007-09-21 73728]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 45056]

"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2005-09-07 36864]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FirefoxConfig"="c:\windows\orclobi\config\openofficeconfig.exe" [2008-04-09 1114425]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Monitor Apache Servers.lnk - c:\program files\Apache Group\Apache2\bin\ApacheMonitor.exe [2008-1-17 41042]

Oracle Drive.lnk - c:\program files\Oracle\ODrive\odrive.exe [2006-9-22 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R1 TDFSD;TDFSD;c:\windows\system32\drivers\tdfsd.sys [9/22/2006 1:41 PM 938592]

R2 IdcAdminService idcr_admin;IDC Content Admin Service idcr_admin;c:\oracle\ecm\urm\admin\bin\IdcAdminNT.exe [8/6/2009 5:10 PM 110592]

R2 IdcAdminService ucm_admin;IDC Content Admin Service ucm_admin;c:\oracle\ecm\ucm\admin\bin\IdcAdminNT.exe [8/6/2009 4:49 PM 110592]

R2 MyDesktopWindows;MyDesktopService;c:\windows\ORCLOBI\MyDesktop\MyDesktopService.exe [6/26/2009 2:11 AM 998400]

R2 ocautoupds;Oracle Connector Automatic Updates Service;c:\program files\Oracle\Outlook Connector\ocautoupds.exe [9/21/2007 12:00 PM 69632]

R2 OdService;ODrive Service;c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager --> c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager [?]

R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]

R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 12:49 AM 204800]

R2 PMEMNT;PMEMNT;c:\windows\pmemnt.sys [7/22/2009 1:28 PM 7012]

R2 QOSMyDesktop;QOS MyDesktop;c:\windows\ORCLOBI\MyDesktop\MyDesktopQOS.exe [12/4/2008 3:07 AM 470016]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/22/2009 1:51 PM 101936]

S0 ieohhot;ieohhot;c:\windows\system32\drivers\qogtkfk.sys --> c:\windows\system32\drivers\qogtkfk.sys [?]

S2 IdcContentService idcr;IDC Content Service idcr;c:\oracle\ecm\urm\bin\IdcServerNT.exe [8/6/2009 5:10 PM 110592]

S2 IdcContentService ucm;IDC Content Service ucm;c:\oracle\ecm\ucm\bin\IdcServerNT.exe [8/6/2009 4:49 PM 110592]

S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

UnknownUnknown dsload;dsload; [x]

.

Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\At1.job

- c:\windows\orclobi\gdswsuspatch.exe [2008-07-14 19:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.oracle.com/

uInternet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.o

raclecorp.com;*.oracleportal.com;<local>

Trusted Zone: oraclecorp.com\global-service

DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab

FF - ProfilePath - c:\documents and settings\azniazi\Application Data\Mozilla\Firefox\Profiles\d2epvq8g.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.oracle.com

FF - prefs.js: network.proxy.type - 2

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-27 11:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5824)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\SYSTEM32\TDShell.DLL

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec\SPA\Smc.exe

c:\program files\Symantec\SPA\SNAC.EXE

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\windows\system32\scardsvr.exe

c:\program files\Apache Group\Apache2\bin\Apache.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Apache Group\Apache2\bin\Apache.exe

c:\oracle\ecm\urm\shared\os\win32\jdk1.5.0_11\bin\java.exe

c:\oracle\ecm\ucm\shared\os\win32\jdk1.5.0_11\bin\java.exe

c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\Oracle\ODrive\XfsSvcCon.exe

c:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\StkASv2K.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\rundll32.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Oracle\ODrive\ODFWAgent.exe

c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe

c:\program files\Symantec\SPA\SmcGui.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

.

**************************************************************************

.

Completion time: 2009-08-27 12:02 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-27 16:02

ComboFix2.txt 2009-08-22 00:47

Pre-Run: 53,945,806,848 bytes free

Post-Run: 53,906,198,528 bytes free

312 --- E O F --- 2009-08-06 15:57

HIJACK THIS LOG FILE

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:03:17 PM, on 8/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\Symantec\SPA\smc.exe

c:\Program Files\Symantec\SPA\snac.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Apache Group\Apache2\bin\Apache.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

c:\oracle\ecm\urm\admin\bin\IdcAdminNT.exe

C:\Program Files\Apache Group\Apache2\bin\Apache.exe

c:\oracle\ecm\ucm\admin\bin\IdcAdminNT.exe

c:\oracle\ecm\urm\shared\os\win32\jdk1.5.0_11\bin\java.exe

c:\oracle\ecm\ucm\shared\os\win32\jdk1.5.0_11\bin\java.exe

C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe

C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe

C:\Program Files\Oracle\ODrive\XfsSvcCon.exe

c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE

C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\System32\StkASv2K.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\Program Files\HP\HP UT\bin\hppusg.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Oracle\ODrive\odrive.exe

C:\Program Files\Oracle\ODrive\ODFWAgent.exe

C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe

c:\Program Files\Symantec\SPA\SmcGui.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.oracle.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.o

raclecorp.com;*.oracleportal.com;<local>

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Oracle Drive Helper Object - {5D33B3E0-4FB3-4ED1-9106-B6EB06A3B7C2} - C:\WINDOWS\SYSTEM32\ODriveHelper.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [TweakAutomaticUpdates] C:\WINDOWS\orclobi\gdswsuspatch_soon.exe /s

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [ntpgds] C:\WINDOWS\orclobi\synctime.exe

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [AutoProfileRepair] "C:\Program Files\Oracle\Outlook Connector\profilerepair.exe" -msi

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

O4 - HKLM\..\Run: [HPUsageTracking] C:\Program Files\HP\HP UT\bin\hppusg.exe "C:\Program Files\HP\HP UT\"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKUS\S-1-5-18\..\RunOnce: [FirefoxConfig] C:\WINDOWS\orclobi\config\openofficeconfig.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FirefoxConfig] C:\WINDOWS\orclobi\config\openofficeconfig.exe (User 'Default user')

O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe

O4 - Global Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe

O4 - Global Startup: VPN Client.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: START_PAGE_URL=http://my.oracle.com

O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - https://strtc.oracle.com/imtapp/res/jar/cnsload.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1250804746359

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com

O17 - HKLM\Software\..\Telephony: DomainName = us.oracle.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com

O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: IDC Content Admin Service idcr_admin (IdcAdminService idcr_admin) - Oracle, Inc. - c:\oracle\ecm\urm\admin\bin\IdcAdminNT.exe

O23 - Service: IDC Content Admin Service ucm_admin (IdcAdminService ucm_admin) - Oracle, Inc. - c:\oracle\ecm\ucm\admin\bin\IdcAdminNT.exe

O23 - Service: IDC Content Service idcr (IdcContentService idcr) - Oracle, Inc. - c:\oracle\ecm\urm\bin\IdcServerNT.exe

O23 - Service: IDC Content Service ucm (IdcContentService ucm) - Oracle, Inc. - c:\oracle\ecm\ucm\bin\IdcServerNT.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe

O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe

O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: Oracle Connector Automatic Updates Service (ocautoupds) - Oracle Corporation - C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe

O23 - Service: ODrive Service (OdService) - Oracle - C:\Program Files\Oracle\ODrive\XfsSvcCon.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe

O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE

O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe

O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - c:\Program Files\Symantec\SPA\smc.exe

O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - c:\Program Files\Symantec\SPA\snac.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: USB2.0 VIDBOX NW02 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

--

End of file - 11165 bytes

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\drivers\tdfsd.sys

Post the results in your reply.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

ieohhot

dsload

File::

c:\windows\system32\drivers\qogtkfk.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
akhanni

akhanni

Posted
  • Author
Posted
Hi,

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\drivers\tdfsd.sys

Post the results in your reply.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

COMBO FIX LOG

ComboFix 09-08-28.01 - azniazi 08/28/2009 16:27.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1302 [GMT -4:00]

Running from: c:\documents and settings\azniazi\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\azniazi\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Protection Agent 5.1 *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::

"c:\windows\system32\drivers\qogtkfk.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Downloaded Program Files.\cnsload-3.0.3.406.dll

c:\windows\Downloaded Program Files.\cnsload.inf

c:\windows\Downloaded Program Files.\cnsload-3.0.3.406.dll . . . . failed to delete

c:\windows\Downloaded Program Files.\cnsload.inf . . . . failed to delete

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_DSLOAD

-------\Service_dsload

-------\Service_ieohhot

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))

.

2009-08-27 23:35 . 2009-08-27 23:35 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e3602.vdb\NAVENG.SYS

2009-08-27 23:35 . 2009-08-27 23:35 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e3602.vdb\NAVENG32.DLL

2009-08-27 23:35 . 2009-08-27 23:35 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e3602.vdb\NAVEX32A.DLL

2009-08-27 23:35 . 2009-08-27 23:35 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e3602.vdb\NAVEX15.SYS

2009-08-27 23:35 . 2009-08-27 23:35 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e3602.vdb\EECTRL.SYS

2009-08-27 23:35 . 2009-08-27 23:35 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e3602.vdb\CCERASER.DLL

2009-08-27 23:35 . 2009-08-27 23:35 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e3602.vdb\ECMSVR32.DLL

2009-08-27 23:35 . 2009-08-27 23:35 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e3602.vdb\ERASER.SYS

2009-08-27 16:03 . 2009-08-27 16:03 -------- d-----w- c:\program files\Trend Micro

2009-08-24 19:10 . 2009-08-24 19:10 1713 ----a-w- c:\documents and settings\azniazi\Application Data\.purple\certificates\x509\tls_peers\stbeehive.oracle.com

2009-08-22 01:47 . 2009-08-22 01:47 1174 ----a-w- c:\windows\mozver.dat

2009-08-21 06:48 . 2009-08-22 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-21 04:38 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-21 04:38 . 2009-08-21 07:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-21 04:38 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-21 04:37 . 2009-08-21 04:37 -------- d--h--w- c:\windows\PIF

2009-08-21 02:29 . 2009-08-21 02:30 -------- d-----w- C:\bc657dec8cc4839b62c633a09a

2009-08-20 21:56 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\program files\QuickTime

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Apple

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\program files\Apple Software Update

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-08-18 17:17 . 2009-08-18 17:17 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Apple Computer

2009-08-10 18:05 . 2008-01-24 10:34 32864 ----a-w- c:\windows\system32\dsgrab_01ca19e52df8d8ae.dll

2009-08-10 18:05 . 2008-01-24 10:34 10848 ----a-w- c:\windows\system32\drivers\dsload.sys

2009-08-10 18:05 . 2009-08-10 18:05 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Oracle

2009-08-10 18:05 . 2009-08-10 18:05 -------- d-----w- c:\program files\Common Files\Oracle

2009-08-08 17:37 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-08-08 17:37 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-08-08 17:37 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2009-08-08 17:37 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-08-08 16:23 . 2009-08-08 16:23 -------- d-----w- c:\program files\honestech

2009-08-08 16:21 . 2006-11-15 21:31 18754 ----a-w- c:\windows\system32\drivers\StkASam.sys

2009-08-08 16:21 . 2006-06-10 02:30 61440 ----a-w- c:\windows\StkATVAp.exe

2009-08-08 16:21 . 2006-05-24 03:49 24576 ----a-w- c:\windows\system32\StkASv2K.exe

2009-08-08 16:21 . 2006-05-24 03:48 45056 ----a-w- c:\windows\system32\StkAVFW.dll

2009-08-08 16:21 . 2006-05-24 03:48 24576 ----a-w- c:\windows\system32\StkAUSD.dll

2009-08-08 16:21 . 2006-05-24 03:48 24576 ----a-w- c:\windows\system32\StkASSrv.dll

2009-08-08 16:20 . 2006-11-15 21:32 242139 ----a-w- c:\windows\system32\drivers\StkAMini.sys

2009-08-08 16:20 . 2006-11-15 21:32 243212 ----a-w- c:\windows\system32\drivers\StkACamd.sys

2009-08-08 16:20 . 2006-11-15 21:32 653988 ----a-w- c:\windows\system32\drivers\StkAPin.sys

2009-08-08 16:20 . 2006-06-27 22:27 4772 ----a-w- c:\windows\system32\drivers\StkScan.sys

2009-08-08 16:20 . 2006-05-24 03:47 106496 ----a-w- c:\windows\Stk1150.exe

2009-08-08 16:20 . 2006-02-09 22:07 10479603 ----a-w- c:\windows\system32\drivers\StkAPipe.sys

2009-08-08 16:20 . 2009-08-08 16:24 -------- d-----w- c:\program files\honestech VHS to DVD 3.0 Deluxe

2009-08-08 16:19 . 2009-08-08 16:19 -------- d-----w- c:\documents and settings\azniazi\Application Data\InstallShield

2009-08-08 15:40 . 2008-04-14 09:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2009-08-08 15:40 . 2008-04-14 09:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2009-08-06 19:04 . 2009-08-06 19:04 34 ----a-w- c:\windows\system32\lockwait.dat

2009-08-06 18:57 . 2009-08-06 20:48 -------- d-----w- C:\oracle

2009-08-06 18:51 . 2009-08-07 17:03 -------- d-----w- c:\program files\Apache Group

2009-08-06 17:18 . 2009-08-06 17:18 -------- d-----w- c:\program files\Microsoft Visual Studio .NET

2009-08-06 17:18 . 2009-08-06 17:18 -------- d-----w- c:\documents and settings\azniazi\Local Settings\Application Data\Microsoft Help

2009-08-06 17:18 . 2009-08-06 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-06 17:17 . 2009-08-06 18:30 -------- d-----w- C:\oraclexe

2009-07-31 20:50 . 2009-07-31 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\iPass

2009-07-31 20:50 . 2009-07-31 20:50 356352 ----a-w- c:\windows\system32\iPassI5Installer.exe

2009-07-31 20:50 . 2009-07-31 20:50 21393 ----a-w- c:\windows\system32\drivers\iPassP.sys

2009-07-31 20:50 . 2009-07-31 20:50 -------- d-----w- c:\program files\iPass

2009-07-31 20:49 . 2009-07-31 20:49 -------- d-----w- c:\program files\iPassdoc3.x

2009-07-31 14:18 . 2009-07-31 14:18 -------- d---a-w- c:\documents and settings\azniazi\Application Data\.purple.bak.1

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-28 20:35 . 2008-08-27 04:00 -------- d-----w- c:\program files\Symantec AntiVirus

2009-08-28 20:32 . 2009-07-28 20:00 1785 ----a-w- c:\windows\bthservsdp.dat

2009-08-28 00:26 . 2009-07-22 17:32 -------- d-----w- c:\documents and settings\azniazi\Application Data\.purple

2009-08-21 16:49 . 2009-08-21 16:49 43736 ------w- c:\documents and settings\azniazi\cnsload_1250873381421.tmp

2009-08-08 16:20 . 2008-08-26 20:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-06 17:15 . 2009-07-22 20:24 -------- d-----w- c:\program files\Common Files\InstallShield

2009-08-05 16:50 . 2008-08-27 03:52 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-31 14:18 . 2008-08-27 17:15 -------- d-----w- c:\program files\Pidgin

2009-07-28 21:03 . 2009-07-28 20:52 53631 ----a-w- c:\windows\hppins02.dat

2009-07-28 20:58 . 2009-07-28 19:42 -------- d-----w- c:\program files\HP

2009-07-28 20:04 . 2009-07-28 20:04 130 ----a-w- c:\documents and settings\azniazi\Local Settings\Application Data\fusioncache.dat

2009-07-28 20:03 . 2009-07-28 20:03 -------- d-----w- c:\documents and settings\azniazi\Application Data\HP

2009-07-28 20:03 . 2009-07-28 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard

2009-07-28 20:02 . 2008-08-26 14:30 62424 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-28 19:59 . 2009-07-28 19:59 -------- d-----w- c:\program files\Hewlett-Packard

2009-07-28 19:58 . 2009-07-28 19:58 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2009-07-28 19:37 . 2009-07-28 19:37 -------- d-----w- c:\program files\Common Files\SWF Studio

2009-07-22 20:24 . 2008-08-27 04:07 -------- d-----w- c:\program files\MigrationAssistant

2009-07-22 20:24 . 2009-07-22 20:24 -------- d-----w- c:\program files\Apoint

2009-07-22 20:24 . 2009-07-22 20:24 -------- d-----w- c:\program files\Dell

2009-07-22 20:17 . 2009-07-22 20:17 512 ----a-w- C:\OracleOB.dat

2009-07-22 19:42 . 2009-07-22 19:42 -------- d-----w- c:\documents and settings\azniazi\Application Data\Malwarebytes

2009-07-22 19:42 . 2009-07-22 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-22 19:41 . 2009-07-22 19:41 -------- d-----w- c:\program files\MWSnap

2009-07-22 19:40 . 2009-07-22 19:40 -------- d-----w- c:\documents and settings\azniazi\Application Data\Helios

2009-07-22 19:40 . 2009-07-22 19:40 -------- d-----w- c:\program files\TextPad 5

2009-07-22 19:37 . 2009-07-22 19:37 0 ----a-w- c:\windows\nsreg.dat

2009-07-22 18:11 . 2009-07-22 18:11 -------- d-----w- c:\program files\Microsoft.NET

2009-07-22 17:28 . 2009-07-22 17:28 -------- d-----w- c:\documents and settings\Admin\Application Data\.purple

2009-07-22 17:27 . 2008-08-26 19:14 -------- d-----w- c:\program files\Desktop Tools

2009-07-22 17:05 . 2009-07-22 17:05 -------- d-----w- c:\program files\CONEXANT

2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2008-04-14 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-26 16:50 . 2008-04-14 12:00 666624 ------w- c:\windows\system32\wininet.dll

2009-06-26 16:50 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-25 08:25 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2008-04-14 12:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2008-04-14 12:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2008-04-14 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2008-04-14 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2008-08-26 12:40 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2008-04-14 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2008-04-14 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-07-24 04:05 . 2008-08-26 22:58 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-07-24 04:05 . 2008-08-26 22:58 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-07-24 04:05 . 2008-08-26 22:58 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-07-24 04:05 . 2008-08-26 22:58 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-07-24 04:05 . 2008-08-26 22:58 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-22_00.43.13 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-14 12:00 . 2009-08-20 22:45 63624 c:\windows\system32\perfc009.dat

+ 2008-04-14 12:00 . 2009-08-22 00:46 63624 c:\windows\system32\perfc009.dat

+ 2008-04-14 12:00 . 2009-08-22 00:46 405956 c:\windows\system32\perfh009.dat

- 2008-04-14 12:00 . 2009-08-20 22:45 405956 c:\windows\system32\perfh009.dat

+ 2009-08-22 01:47 . 2009-07-18 00:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

+ 2009-08-28 12:53 . 2009-08-28 12:53 416603 c:\windows\ORCLOBI\MyDesktop\script.dat

+ 2009-08-22 01:47 . 2009-07-18 00:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]

"TweakAutomaticUpdates"="c:\windows\orclobi\gdswsuspatch_soon.exe" [2005-12-22 126887]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]

"ntpgds"="c:\windows\orclobi\synctime.exe" [2003-04-07 110993]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"AutoProfileRepair"="c:\program files\Oracle\Outlook Connector\profilerepair.exe" [2007-09-21 73728]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 45056]

"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2005-09-07 36864]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FirefoxConfig"="c:\windows\orclobi\config\openofficeconfig.exe" [2008-04-09 1114425]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Monitor Apache Servers.lnk - c:\program files\Apache Group\Apache2\bin\ApacheMonitor.exe [2008-1-17 41042]

Oracle Drive.lnk - c:\program files\Oracle\ODrive\odrive.exe [2006-9-22 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R1 TDFSD;TDFSD;c:\windows\system32\drivers\tdfsd.sys [9/22/2006 1:41 PM 938592]

R2 IdcAdminService idcr_admin;IDC Content Admin Service idcr_admin;c:\oracle\ecm\urm\admin\bin\IdcAdminNT.exe [8/6/2009 5:10 PM 110592]

R2 IdcAdminService ucm_admin;IDC Content Admin Service ucm_admin;c:\oracle\ecm\ucm\admin\bin\IdcAdminNT.exe [8/6/2009 4:49 PM 110592]

R2 MyDesktopWindows;MyDesktopService;c:\windows\ORCLOBI\MyDesktop\MyDesktopService.exe [6/26/2009 2:11 AM 998400]

R2 ocautoupds;Oracle Connector Automatic Updates Service;c:\program files\Oracle\Outlook Connector\ocautoupds.exe [9/21/2007 12:00 PM 69632]

R2 OdService;ODrive Service;c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager --> c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager [?]

R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]

R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 12:49 AM 204800]

R2 PMEMNT;PMEMNT;c:\windows\pmemnt.sys [7/22/2009 1:28 PM 7012]

R2 QOSMyDesktop;QOS MyDesktop;c:\windows\ORCLOBI\MyDesktop\MyDesktopQOS.exe [12/4/2008 3:07 AM 470016]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 7:35 PM 102448]

S2 IdcContentService idcr;IDC Content Service idcr;c:\oracle\ecm\urm\bin\IdcServerNT.exe [8/6/2009 5:10 PM 110592]

S2 IdcContentService ucm;IDC Content Service ucm;c:\oracle\ecm\ucm\bin\IdcServerNT.exe [8/6/2009 4:49 PM 110592]

S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\At1.job

- c:\windows\orclobi\gdswsuspatch.exe [2008-07-14 19:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.oracle.com/

uInternet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.o

raclecorp.com;*.oracleportal.com;<local>

Trusted Zone: oraclecorp.com\global-service

DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab

FF - ProfilePath - c:\documents and settings\azniazi\Application Data\Mozilla\Firefox\Profiles\d2epvq8g.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.oracle.com

FF - prefs.js: network.proxy.type - 2

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-28 16:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4108)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\SYSTEM32\TDShell.DLL

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec\SPA\Smc.exe

c:\program files\Symantec\SPA\SNAC.EXE

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\windows\system32\scardsvr.exe

c:\program files\Apache Group\Apache2\bin\Apache.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Apache Group\Apache2\bin\Apache.exe

c:\oracle\ecm\urm\shared\os\win32\jdk1.5.0_11\bin\java.exe

c:\oracle\ecm\ucm\shared\os\win32\jdk1.5.0_11\bin\java.exe

c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\Oracle\ODrive\XfsSvcCon.exe

c:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\StkASv2K.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe

c:\program files\Symantec\SPA\SmcGui.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\rundll32.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Oracle\ODrive\ODFWAgent.exe

.

**************************************************************************

.

Completion time: 2009-08-28 16:37 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-28 20:37

ComboFix2.txt 2009-08-27 16:02

ComboFix3.txt 2009-08-22 00:47

Pre-Run: 53,806,747,648 bytes free

Post-Run: 53,756,030,976 bytes free

293 --- E O F --- 2009-08-06 15:57

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:58:28 PM, on 8/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\Symantec\SPA\smc.exe

c:\Program Files\Symantec\SPA\snac.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Apache Group\Apache2\bin\Apache.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

c:\oracle\ecm\urm\admin\bin\IdcAdminNT.exe

C:\Program Files\Apache Group\Apache2\bin\Apache.exe

c:\oracle\ecm\urm\shared\os\win32\jdk1.5.0_11\bin\java.exe

c:\oracle\ecm\ucm\admin\bin\IdcAdminNT.exe

c:\oracle\ecm\ucm\shared\os\win32\jdk1.5.0_11\bin\java.exe

C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe

C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe

C:\Program Files\Oracle\ODrive\XfsSvcCon.exe

c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE

C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\StkASv2K.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

c:\Program Files\Symantec\SPA\SmcGui.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\Program Files\HP\HP UT\bin\hppusg.exe

C:\Program Files\Oracle\ODrive\odrive.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Oracle\ODrive\ODFWAgent.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.oracle.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.o

raclecorp.com;*.oracleportal.com;<local>

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Oracle Drive Helper Object - {5D33B3E0-4FB3-4ED1-9106-B6EB06A3B7C2} - C:\WINDOWS\SYSTEM32\ODriveHelper.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [TweakAutomaticUpdates] C:\WINDOWS\orclobi\gdswsuspatch_soon.exe /s

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [ntpgds] C:\WINDOWS\orclobi\synctime.exe

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [AutoProfileRepair] "C:\Program Files\Oracle\Outlook Connector\profilerepair.exe" -msi

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

O4 - HKLM\..\Run: [HPUsageTracking] C:\Program Files\HP\HP UT\bin\hppusg.exe "C:\Program Files\HP\HP UT\"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKUS\S-1-5-18\..\RunOnce: [FirefoxConfig] C:\WINDOWS\orclobi\config\openofficeconfig.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FirefoxConfig] C:\WINDOWS\orclobi\config\openofficeconfig.exe (User 'Default user')

O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe

O4 - Global Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe

O4 - Global Startup: VPN Client.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: START_PAGE_URL=http://my.oracle.com

O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - https://strtc.oracle.com/imtapp/res/jar/cnsload.cab

O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1250804746359

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com

O17 - HKLM\Software\..\Telephony: DomainName = us.oracle.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com

O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: IDC Content Admin Service idcr_admin (IdcAdminService idcr_admin) - Oracle, Inc. - c:\oracle\ecm\urm\admin\bin\IdcAdminNT.exe

O23 - Service: IDC Content Admin Service ucm_admin (IdcAdminService ucm_admin) - Oracle, Inc. - c:\oracle\ecm\ucm\admin\bin\IdcAdminNT.exe

O23 - Service: IDC Content Service idcr (IdcContentService idcr) - Oracle, Inc. - c:\oracle\ecm\urm\bin\IdcServerNT.exe

O23 - Service: IDC Content Service ucm (IdcContentService ucm) - Oracle, Inc. - c:\oracle\ecm\ucm\bin\IdcServerNT.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe

O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe

O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: Oracle Connector Automatic Updates Service (ocautoupds) - Oracle Corporation - C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe

O23 - Service: ODrive Service (OdService) - Oracle - C:\Program Files\Oracle\ODrive\XfsSvcCon.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe

O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE

O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe

O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - c:\Program Files\Symantec\SPA\smc.exe

O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - c:\Program Files\Symantec\SPA\snac.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: USB2.0 VIDBOX NW02 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

--

End of file - 11365 bytes

F-SCANNER LOG

Scanning Report

Friday, August 28, 2009 16:46:22 - 17:33:20

Computer name: azniazi-us

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

16 malware found

TrackingCookie.Questionmarket (spyware)

* System (Disinfected)

TrackingCookie.2o7 (spyware)

* System (Disinfected)

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Adtech (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Revsci (spyware)

* System (Disinfected)

TrackingCookie.Zanox (spyware)

* System (Disinfected)

TrackingCookie.Adrevolver (spyware)

* System (Disinfected)

TrackingCookie.Adbrite (spyware)

* System (Disinfected)

TrackingCookie.Webtrends (spyware)

* System (Disinfected)

TrackingCookie.Mediaplex (spyware)

* System (Disinfected)

TrackingCookie.Statcounter (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Trojan.Dropper.Kobcka.Gen.1 (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{D173B075-A301-416C-8536-C80F5322E8F8}\RP39\A0008389.DLL (Renamed & Submitted)

Statistics

Scanned:

* Files: 81513

* System: 3605

* Not scanned: 13

Actions:

* Disinfected: 15

* Renamed: 1

* Deleted: 0

* Not cleaned: 0

* Submitted: 1

Files not scanned:

* C:\HIBERFIL.SYS

* C:\PAGEFILE.SYS

* C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\2900

* C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\3640

* C:\WINDOWS\SYSTEM32\MRT.EXE

* C:\WINDOWS\SYSTEM32\MACROMED\FLASH\FLASH.OCX

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPSVC.EXE

* C:\PROGRAM FILES\APACHE GROUP\APACHE2\BIN\APACHEMONITOR.EXE

SECURITY CHECK LOG

SResults of screen317's Security Check version 0.98.9

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Symantec Antivirus 10.1.6

Symantec AntiVirus

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java Runtime Environment v1.5.0_15

Adobe Reader 9.1.3

``````````````````````````````

Process Check:

objlist.exe by Laurent

Symantec AntiVirus DefWatch.exe

Symantec AntiVirus SavRoam.exe

Symantec AntiVirus Rtvscan.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java Runtime Environment v1.5.0_15

Restart your computer.

Get the latest version of Java.

Let me know what issues remain.

-screen317

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.