hijack log......?

[mattew]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:29 AM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\WordWeb\wweb32.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Solid Edge V18\Program\Edge.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\Digital Library\MY GRE\my smart ehdocs\manual spyware removal instruction by osrisis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vsh10/en-...0&installtype=force&langid=1&systempopup=true
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

--
End of file - 4098 bytes



well intialily i was infected by vundo malware .... but according to mcaffee scan the malware was removed but i am not very much sure of it.....
so i wanna make sure if the malware is out of my computer or not........?
plzz help me guys..

 

[techpro5238]

Hello Mattew,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

 

[mattew]

well the tracers of the malware is still out there....
is ne thing serious out there.....
plzz let me know wat r these things doing .....?

 

[mattew]

Deckard's System Scanner v20071014.68
Run by rahul on 2008-06-04 00:31:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
33: 2008-06-03 19:01:46 UTC - RP33 - Deckard's System Scanner Restore Point
32: 2008-06-03 16:35:43 UTC - RP32 - System Checkpoint
31: 2008-06-02 13:52:28 UTC - RP31 - System Checkpoint
30: 2008-05-31 15:10:46 UTC - RP30 - System Checkpoint
29: 2008-05-25 07:49:08 UTC - RP29 - System Checkpoint


-- First Restore Point --
1: 2008-05-02 13:49:39 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as rahul.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:15 AM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\WordWeb\wweb32.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\WINDOWS\system32\Pdwsnqu8.exe
E:\Digital Library\MY GRE\my smart ehdocs\manual spyware removal instruction by osrisis\dss.exe
E:\DIGITA~1\MYGRE~1\MYSMAR~1\MANUAL~1\rahul.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vsh10/en-...0&installtype=force&langid=1&systempopup=true
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

--
End of file - 4171 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfee AntiSpyware Service - "c:\progra~1\mcafee\mcafee antispyware\massrv.exe" <Not Verified; McAfee, Inc.; McAfee AntiSpyware>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-04 00:27:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-06-04 00:18:00 350 --a------ C:\WINDOWS\Tasks\At25.job
2008-06-03 23:21:34 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-06-03 23:00:10 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-06-03 23:00:05 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-06-03 22:00:05 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-06-03 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-06-03 21:00:05 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-06-03 21:00:01 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-06-03 20:00:01 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-06-03 19:24:14 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-06-03 17:00:01 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-06-03 16:39:00 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-06-03 13:00:05 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-06-03 13:00:01 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-06-03 12:00:05 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-06-03 12:00:01 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-06-03 11:00:05 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-06-03 11:00:01 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-06-03 10:00:01 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-06-03 09:55:32 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-06-02 19:00:01 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-06-01 14:00:05 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-06-01 14:00:01 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-05-31 15:00:05 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-05-31 15:00:01 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At32.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At31.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At30.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At29.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At28.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-05-31 13:10:48 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-05-31 01:00:01 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-05-30 02:00:01 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-05-29 23:51:22 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-05-29 23:51:22 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-05-29 23:51:22 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-05-29 23:51:22 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-05-29 23:51:22 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-05-29 23:51:22 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-05-29 23:51:22 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-05-29 23:51:21 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-05-29 23:51:21 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-05-02 20:46:59 362 --a------ C:\WINDOWS\Tasks\McAfee AntiSpyware.job


-- Files created between 2008-05-04 and 2008-06-04 -----------------------------

2008-06-03 22:18:42 35842 --a------ C:\WINDOWS\system32\Pdwsnqu8.exe
2008-06-01 22:43:41 0 d-------- C:\Program Files\uTorrent
2008-06-01 22:43:35 0 d-------- C:\Documents and Settings\rahul\Application Data\uTorrent
2008-05-31 21:42:37 0 d-------- C:\Documents and Settings\rahul\Application Data\TypingMaster7
2008-05-31 21:42:29 0 dr------- C:\Program Files\TypingMaster
2008-05-31 19:10:46 19456 --a------ C:\WINDOWS\system32\8Ky0mM30.dll
2008-05-31 19:00:44 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-05-31 19:00:23 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-05-31 19:00:16 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-05-19 19:22:05 0 d-------- C:\Program Files\Smart Projects
2008-05-17 10:44:26 0 d-------- C:\Documents and Settings\rahul\Application Data\dvdcss
2008-05-15 00:44:02 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-11 20:58:14 0 d-------- C:\Documents and Settings\rahul\Application Data\Talkback
2008-05-10 13:11:36 0 d-------- C:\Program Files\ElcomSoft
2008-05-10 00:45:25 1024 --a------ C:\WINDOWS\system32\pwdremover.dat
2008-05-08 01:16:41 0 d-------- C:\WINDOWS\pss
2008-05-07 11:43:08 0 d-------- C:\Program Files\Google
2008-05-07 11:43:08 0 d-------- C:\Documents and Settings\rahul\Application Data\Google
2008-05-06 21:16:58 0 d-------- C:\Documents and Settings\rahul\Application Data\Unigraphics Solutions
2008-05-06 21:13:16 0 d-------- C:\Program Files\Solid Edge V18
2008-05-06 21:13:08 0 d-------- C:\Program Files\Rainbow Technologies
2008-05-06 21:11:51 0 d-------- C:\WINDOWS\system32\URTTemp
2008-05-05 00:18:18 0 d-------- C:\Documents and Settings\rahul\Application Data\Macromedia
2008-05-05 00:13:56 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-05 00:13:54 0 d-------- C:\Documents and Settings\rahul\Application Data\Mozilla
2008-05-04 01:47:24 24 --a------ C:\Documents and Settings\rahul\rahul.bat
2008-05-04 01:15:33 0 d--h----- C:\WINDOWS\PIF


-- Find3M Report ---------------------------------------------------------------

2008-05-24 19:23:41 0 d-------- C:\Program Files\Winamp
2008-05-06 21:12:57 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-05 00:18:18 0 d-------- C:\Documents and Settings\rahul\Application Data\Adobe
2008-05-03 22:34:32 0 d-------- C:\Program Files\WordWeb
2008-05-03 20:25:06 0 d-------- C:\Documents and Settings\rahul\Application Data\.BitTornado
2008-05-03 12:25:58 0 d-------- C:\Documents and Settings\rahul\Application Data\vlc
2008-05-03 08:18:12 268435456 --ahs---- C:\WinPEpge.sys
2008-05-03 08:18:11 0 -rahs---- C:\$lsdrive$
2008-05-03 08:18:11 0 -rahs---- C:\$installdrive$
2008-05-03 08:18:11 0 -rahs---- C:\$bootdrive$
2008-05-03 00:35:39 0 d-------- C:\Program Files\Common Files\ODBC
2008-05-03 00:35:35 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-05-03 00:35:15 62 --ahs---- C:\Documents and Settings\rahul\Application Data\desktop.ini
2008-05-02 20:59:15 0 d-------- C:\Program Files\McAfee.com
2008-05-02 20:50:13 0 d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-05-02 20:46:41 0 d-------- C:\Program Files\McAfee
2008-05-02 20:44:47 0 d-------- C:\Documents and Settings\rahul\Application Data\Identities
2008-05-02 20:39:29 0 d-------- C:\Program Files\Common Files
2008-05-02 20:39:29 0 d-------- C:\Program Files\Common Files\Nero
2008-05-02 20:38:36 0 d-------- C:\Program Files\Ahead
2008-05-02 20:38:23 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-02 20:32:54 0 d-------- C:\Program Files\Microsoft.NET
2008-05-02 20:32:51 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-02 20:24:07 0 d-------- C:\Program Files\FLVPlayer
2008-05-02 20:20:58 0 d-------- C:\Program Files\VideoLAN
2008-05-02 19:51:51 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-02 19:33:51 0 d-------- C:\Program Files\Realtek
2008-05-02 19:33:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-02 19:33:48 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-05-02 19:32:21 0 d-------- C:\Program Files\Intel Desktop Board
2008-05-02 19:31:01 0 d-------- C:\Program Files\Intel
2008-05-02 19:22:45 0 d-------- C:\Program Files\MSXML 4.0
2008-05-02 19:15:34 0 d-------- C:\Program Files\microsoft frontpage
2008-05-02 19:15:20 0 --a------ C:\CONFIG.SYS
2008-05-02 19:15:20 0 --a------ C:\AUTOEXEC.BAT
2008-05-02 19:14:09 0 d--h----- C:\Program Files\WindowsUpdate
2008-05-02 19:13:25 0 d-------- C:\Program Files\Common Files\MSSoap
2008-05-02 19:13:17 0 d-------- C:\Program Files\Movie Maker
2008-05-02 19:12:36 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-02 19:12:11 0 d-------- C:\Program Files\Online Services
2008-05-02 19:12:07 0 d-------- C:\Program Files\Messenger
2008-05-02 19:12:02 0 d-------- C:\Program Files\MSN Gaming Zone
2008-05-02 19:11:56 0 d-------- C:\Program Files\Windows NT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [09/17/2007 12:40 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [09/17/2007 12:40 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [09/17/2007 12:40 PM]
"RTHDCPL"="RTHDCPL.EXE" [09/17/2007 12:38 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [09/17/2007 12:38 PM C:\WINDOWS\Alcmtr.exe]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 06:29 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 12:05 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\masalert.exe" [11/18/2005 07:16 PM]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 06:18 PM]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/2005 12:49 PM]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/2005 10:02 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p




-- End of Deckard's System Scanner: finished at 2008-06-04 00:33:00 ------------


well i would be glad if u could tell me wats happening....
yeah i am still sufereing from that malware uz the same activity happened
well which the dss was going on mcaffee detected some king of script going on and i was forced to stop that.. ne idea watz happening.

 

[mattew]

this one is the extra.txt




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz
CPU 1: Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz
Percentage of Memory in Use: 36%
Physical Memory (total/avail): 2020.54 MiB / 1287.02 MiB
Pagefile Memory (total/avail): 3913.65 MiB / 3408.02 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.73 MiB

C: is Fixed (NTFS) - 48.83 GiB total, 39.36 GiB free.
D: is Fixed (NTFS) - 97.65 GiB total, 82 GiB free.
E: is Fixed (NTFS) - 86.39 GiB total, 57.92 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3250310AS - 232.88 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 48.83 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 184.05 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*isabled:btdownloadgui"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\rahul\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-4B61B14547
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\rahul
LOGONSERVER=\\HOME-4B61B14547
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\DMIX
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
P_SCHEMA=C:\Program Files\Solid Edge V18\etc\UGSchemas
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\rahul\LOCALS~1\Temp
TMP=C:\DOCUME~1\rahul\LOCALS~1\Temp
USERDOMAIN=HOME-4B61B14547
USERNAME=rahul
USERPROFILE=C:\Documents and Settings\rahul
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

rahul (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
FLV Player 1.3.3 --> "C:\Program Files\FLVPlayer\uninstall.exe"
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.9.1108 --> "C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter\unins000.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "E:\Digital Library\MY GRE\my smart ehdocs\manual spyware removal instruction by osrisis\HijackThis.exe" /uninstall
Intel(R) Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel(R) Management Engine Interface --> C:\WINDOWS\system32\heciudlg.exe -uninstall
Intel(R) PRO Network Connections 12.1.12.0 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
IsoBuster 1.5 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
Korean Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5670-0000-800000000003}
McAfee AntiSpyware --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=mas /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\masrem.ui::uninstall.htm
McAfee SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox 3 Beta 5\uninstall\helper.exe
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Sentinel System Driver 5.41.1 (32-bit) --> MsiExec.exe /I{5081528F-5DD5-49BA-8213-9A6A13502497}
Solid Edge V18 --> MsiExec.exe /I{BCBA1B06-0AB4-4FA8-8544-D174FC0B0B12}
TypingMaster Pro --> "C:\Program Files\TypingMaster\unins000.exe"
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WordWeb --> C:\Program Files\WordWeb\uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1255 / Warning
Event Submitted/Written: 06/03/2008 11:00:49 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1241 / Warning
Event Submitted/Written: 06/03/2008 01:44:33 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1231 / Warning
Event Submitted/Written: 06/02/2008 10:05:36 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1223 / Warning
Event Submitted/Written: 06/02/2008 01:35:45 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1215 / Warning
Event Submitted/Written: 06/02/2008 11:11:34 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5115 / Error
Event Submitted/Written: 06/04/2008 00:18:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At25.job command failed to start due to the following error:
%%2147942402

Event Record #/Type5095 / Error
Event Submitted/Written: 06/03/2008 11:21:33 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.100 for the Network Card with network address 001CC0197D55 has been
denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type5088 / Warning
Event Submitted/Written: 06/03/2008 10:59:13 PM
Event ID/Source: 27 / e1express
Event Description:
Intel(R) 82566DC-2 Gigabit Network Connection
Link has been disconnected.

Event Record #/Type5087 / Error
Event Submitted/Written: 06/03/2008 10:00:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At23.job command failed to start due to the following error:
%%2147942402

Event Record #/Type5084 / Error
Event Submitted/Written: 06/03/2008 07:54:12 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.100 for the Network Card with network address 001CC0197D55 has been
denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).



-- End of Deckard's System Scanner: finished at 2008-06-04 00:33:00 ------------

 

[mattew]

common guys help me out... in this stuff i think its half done...
the malaware is still out there,
IE justs pops up with some crap ad...
plzz help me out . i did whatever i was asked for....
plzzzz

 

[KSoD]

Yes and people have lives and jobs outside of reading logs all day.

TechPro will be by to analyze it when he can and give you the next step. Sorry if that isnt what you want but it is the best we can do.

 

[mattew]

is there ne way where i can learn to do it myself.....?
i would be glad if can fix it on my own.......

 

[KSoD]

Yeah. Go thru the malware removal schools like our trained staff here has and you can do it yourself. I would know i am doing it myself. Now please be patient.

 

[mattew]

i found something different from other logs thats it...

-- Files created between 2008-05-04 and 2008-06-04 -----------------------------

2008-06-03 22:18:42 35842 --a------ C:\WINDOWS\system32\Pdwsnqu8.exe
2008-06-01 22:43:41 0 d-------- C:\Program Files\uTorrent
2008-06-01 22:43:35 0 d-------- C:\Documents and Settings\rahul\Application Data\uTorrent
2008-05-31 21:42:37 0 d-------- C:\Documents and Settings\rahul\Application Data\TypingMaster7
2008-05-31 21:42:29 0 dr------- C:\Program Files\TypingMaster
2008-05-31 19:10:46 19456 --a------ C:\WINDOWS\system32\8Ky0mM30.dll // this one is suspicious ..... never found before in system32//

the exe file which was a virus as detected by mcafee was in system 32 folder and that exe files name was
8od0q30.exe

and now this .dll file which is starting with the similar name makes me think that even its related to this malware problem thats it...