Redundant Virus in my notebook: Windows Police Pro, Total Security and koobface

BullGuard Antivirus Forum > Virus Removal > Removal Tools > Redundant Virus in my notebook: Windows Police Pro, Total Security and koobface

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

tinasg
New Member

Date Joined Sep 2008
Total Posts : 12

Posted 9-23-2009 8:47 (GMT +1)

Hi Team,

My notebook seems to be infected with Virus like Windows Police Pro, Total Security and koobface work.

The virus was first detected on 18th September as Windows Police Pro and Koobface worm, a day after I connected a USB (through which I suspect the virus entered.)

I had cleaned it using Malware's Anti-Malware. I even formatted and cleaned my USB using the same application. Again I had connected it yesterday and today the virus re appeared. Today, it appeared as "Total Security with the Warning Your computer is infected wall paper."

Same thing has happened with my colleagues who used the same USB. Their option was to format the C drive. However, I am not too excited to do that and wish to fight this virus and clean my notebook as well as my USB.

Please advise.

I had used the following anti virus detection softwares:

1) XoftSpySE

2) Malwarebytes' Anti-Malware

3) Dr Webs xd77vjqg.exe

I am in the process of installing avast currently. In the meantime here are the required logs:

Hijack this:

------------>

Logfile of HijackThis v1.99.1
Scan saved at 1:09:04 PM, on 9/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Genesys VPN\Genesys VPN Client 4.8.02\cvpnd.exe
D:\Downloads\avast_home_setup.exe
C:\Documents and Settings\roopali.ISMARTPANACHE\Local Settings\Temporary Internet Files\Content.IE5\ARI526N5\dds[1].scr
C:\WINDOWS\system32\cmd.exe
D:\Downloads\HijackThis.exe
C:\DOCUME~1\ROOPAL~1.ISM\LOCALS~1\Temp\RarSFX24\EDS.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.loksatta.com/daily/dynamic/wfplayer/tdserver.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com.au/s/v/44.10/uploader2.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {4D1DA428-3B37-44E6-893A-D3A5BCE0E7E3} (Siebel High Interactivity Framework) - http://panorama.genesyslab.com/callcenter_enu/18382/applets/SiebelAx_HI_Client.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222781157203
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wiproes.webex.com/client/T26L/support/ieatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ismartpanache.net
O17 - HKLM\Software\..\Telephony: DomainName = ismartpanache.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECBA180A-E7AD-4CB6-BF08-9D25B4933EAE}: NameServer = 192.168.100.36
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ismartpanache.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ismartpanache.net
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Genesys Multitenant Configuration Server (ConfigServerMT) - Unknown owner - C:\Program Files\GCTI\Multitenant Configuration Server\confserv.exe" -service ConfigServerMT (file missing)
O23 - Service: Genesys Singletenant Configuration Server (ConfigServerST) - Unknown owner - D:\GCTI\Singletenant Configuration Server\confserv.exe" -service ConfigServerST (file missing)
O23 - Service: Genesys Singletenant Configuration Server (1) (ConfigServerST_1) - Unknown owner - D:\GCTI\Singletenant Configuration Server76\confserv.exe" -service ConfigServerST_1 (file missing)
O23 - Service: Genesys Singletenant Configuration Server (2) (ConfigServerST_2) - Unknown owner - C:\Program Files\GCTI\Singletenant Configuration Server\confserv.exe" -service ConfigServerST_2 (file missing)
O23 - Service: Genesys Singletenant Configuration Server (3) (ConfigServerST_3) - Unknown owner - C:\Program Files\GCTI\Singletenant Configuration Server (1)\confserv.exe" -service ConfigServerST_3 (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Genesys VPN\Genesys VPN Client 4.8.02\cvpnd.exe
O23 - Service: Genesys DB Server (DBServer) - Unknown owner - D:\GCTI\DB Server\multiserver.exe" -service DBServer -host localhost -port 2020 -app cfg_dbserver (file missing)
O23 - Service: Genesys DB Server [OCS_DBServer] (DBServer_1) - Unknown owner - D:\GCTI\OCS_DBServer\multiserver.exe" -host localhost -port 2020 -app OCS_DBServer -service DBServer_1 (file missing)
O23 - Service: Genesys DB Server [ICON_DBServer] (DBServer_2) - Unknown owner - C:\Program Files\GCTI\DB Server\ICON_DBServer\multiserver.exe" -host ismartpa-dbf6a9 -port 2020 -app ICON_DBServer -service DBServer_2 (file missing)
O23 - Service: Genesys DB Server [DBServer_72] (DBServer_3) - Unknown owner - C:\Program Files\GCTI\DB Server\DBServer_72\multiserver.exe" -host ismartpa-dbf6a9 -port 2020 -app DBServer_72 -service DBServer_3 (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXlm Service 1 - Macrovision Corporation - C:\FLEXlm\lmgrd.exe
O23 - Service: Genesys Desktop [GAD75] (GDesktop) - Unknown owner - C:\GCTI\GenesysDesktop\GAD75\bin\GDesktopDriver.exe" -service GDesktop (file missing)
O23 - Service: Genesys Desktop [GAD75] (GDesktop) - Unknown owner - C:\GCTI\GenesysDesktop\GAD75\bin\GDesktopDriver.exe" -service GDesktop (file missing)
O23 - Service: Genesys Desktop [GAD75] (GDesktop) - Unknown owner - C:\GCTI\GenesysDesktop\GAD75\bin\GDesktopDriver.exe" -service GDesktop (file missing)
O23 - Service: Genesys Desktop [GAD75] (GDesktop) - Unknown owner - C:\GCTI\GenesysDesktop\GAD75\bin\GDesktopDriver.exe" -service GDesktop (file missing)
O23 - Service: Genesys Desktop [GAD_76] (GDesktop_1) - Unknown owner - C:\GCTI\GenesysDesktop\GAD_76\bin\GDesktopDriver.exe" -service GDesktop_1 (file missing)
O23 - Service: Genesys Desktop [GAD_latest] (GDesktop_2) - Unknown owner - C:\GCTI\GenesysDesktop\GAD_latest\bin\GDesktopDriver.exe" -service GDesktop_2 (file missing)
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Genesys Interaction Concentrator [ICON_76] (ICon) - Unknown owner - C:\Program Files\GCTI\Interaction Concentrator\ICON_76\icon.exe" -host ismartpa-dbf6a9 -port 2020 -app ICON_76 -service ICon (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Genesys Message Server [Message_Server_71] (MsgServer) - Unknown owner - D:\GCTI\MsgServer\Message_Server_71\MessageServer.exe" -host ismartpa-dbf6a9 -port 2020 -app Message_Server_71 -service MsgServer (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Genesys Outbound Contact Server [OCS76] (OCServer) - Unknown owner - D:\GCTI\OCS76\cm_server.exe" -host localhost -port 2020 -app OCS76 -service OCServer -l C:\FLEXlm\License.txt (file missing)
O23 - Service: Genesys Outbound Contact Server [OCS_7610002] (OCServer_1) - Unknown owner - D:\GCTI\OCServer1\OCS_7610002\cm_server.exe" -host localhost -port 2020 -app OCS_7610002 -service OCServer_1 -l C:\FLEXlm\License.txt (file missing)
O23 - Service: Genesys Outbound Contact Server [OC_Server_761] (OCServer_2) - Unknown owner - C:\Program Files\GCTI\OCServer\OC_Server_761\cm_server.exe" -host ismartpa-dbf6a9 -port 5050 -app OC_Server_761 -service OCServer_2 -l C:\FLEXlm\License.txt (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Genesys Stat Server [StatServer75] (StatServer) - Unknown owner - D:\GCTI\StatServer75\statserv.exe" -host localhost -port 2020 -app StatServer75 -service StatServer (file missing)
O23 - Service: Genesys Stat Server [OCS_SS] (StatServer_1) - Unknown owner - C:\Program Files\GCTI\Stat Server\OCS_SS\statserv.exe" -host ismartpa-dbf6a9 -port 2020 -app OCS_SS -service StatServer_1 (file missing)
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Genesys T-Server for Avaya Communication Manager [TServer_AvayaCM_72] (TSrvG3) - Unknown owner - D:\GCTI\TSrvG3\TServer_AvayaCM_72\g3tcp_server.exe" -host ismartpa-dbf6a9 -port 2020 -app TServer_AvayaCM_72 -service TSrvG3 -l C:\FLEXlm\License.txt (file missing)
O23 - Service: Genesys SIP Server [SIPServer_75] (TSrvSIP) - Unknown owner - D:\GCTI\SIPServer_75\sip_server.exe" -host localhost -port 2020 -app SIPServer_75 -service TSrvSIP -l C:\FLEXlm\License.txt (file missing)
O23 - Service: Genesys SIP Server [SIPServer] (TSrvSIP_1) - Unknown owner - C:\Program Files\GCTI\SIPServer\sip_server.exe" -host ismartpa-dbf6a9 -port 2020 -app SIPServer -service TSrvSIP_1 -l C:\FLEXlm\License.txt (file missing)
O23 - Service: Genesys SIP Server [SIP76] (TSrvSIP_2) - Unknown owner - C:\Program Files\GCTI\SIP Server\SIP76\sip_server.exe" -host ismartpa-dbf6a9 -port 2020 -app SIP76 -service TSrvSIP_2 -l C:\FLEXlm\License.txt (file missing)
O23 - Service: Genesys SIP Server [SIP_7500076] (TSrvSIP_3) - Unknown owner - C:\Program Files\GCTI\SIP Server\SIP_7500076\sip_server.exe" -host ismartpa-dbf6a9 -port 2020 -app SIP_7500076 -service TSrvSIP_3 -l C:\FLEXlm\License.txt (file missing)
O23 - Service: Genesys Stream Manager [SM_75] (VoIPSM) - Unknown owner - C:\Program Files\GCTI\IPMX\VoIPSM\SM_75\sm.exe" -host ismartpa-dbf6a9 -port 2020 -app SM_75 -service VoIPSM (file missing)
O23 - Service: Genesys Stream Manager [SM_76] (VoIPSM_1) - Unknown owner - C:\Program Files\GCTI\IPMX\SM\SM_76\sm.exe" -host ismartpa-dbf6a9 -port 2020 -app SM_76 -service VoIPSM_1 (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

<---------

Malware:

--------->

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

9/23/2009 12:26:34 PM
mbam-log-2009-09-23 (12-26-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190475
Time elapsed: 22 minute(s), 34 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\15222504\15222504.exe (Rogue.Multiple.H) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15222504 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\15222504 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\15222504\15222504 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\15222504\15222504.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\15222504\pc15222504ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
<---------

DDS:

------------>

DDS (Ver_09-07-30.01) - NTFSx86
Run by roopali at 13:09:50.96 on Wed 09/23/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1314 [GMT 5.5:30]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Genesys VPN\Genesys VPN Client 4.8.02\cvpnd.exe
D:\Downloads\avast_home_setup.exe
D:\Downloads\HijackThis.exe
C:\Documents and Settings\roopali.ISMARTPANACHE\Local Settings\Temporary Internet Files\Content.IE5\ARI526N5\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uStart Page = about:blank
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mWinlogon: Taskman=c:\recycler\s-1-5-21-6899422653-3944002669-903645732-8345\czzi.exe
uWinlogon: Shell=c:\recycler\s-1-5-21-6899422653-3944002669-903645732-8345\czzi.exe,explorer.exe,c:\recycler\s-1-5-21-3333944634-9177798477-081953790-9714\czzi.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.loksatta.com/daily/dynamic/wfplayer/tdserver.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com.au/s/v/44.10/uploader2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4D1DA428-3B37-44E6-893A-D3A5BCE0E7E3} - hxxp://panorama.genesyslab.com/callcenter_enu/18382/applets/SiebelAx_HI_Client.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222781157203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://wiproes.webex.com/client/T26L/support/ieatgpc.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {ECBA180A-E7AD-4CB6-BF08-9D25B4933EAE} = 192.168.100.36
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-11 55152]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-9-30 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 Tomcat5;Apache Tomcat;c:\program files\apache software foundation\tomcat 5.5\bin\tomcat5.exe [2008-1-29 57344]
R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-20 280344]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-30 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-30 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-30 168776]
S2 FLEXlm Service 1;FLEXlm Service 1;c:\flexlm\lmgrd.exe [2004-9-14 815104]
S3 ConfigServerMT;Genesys Multitenant Configuration Server;c:\program files\gcti\multitenant configuration server\confserv.exe [2009-2-18 4795176]
S3 ConfigServerST;Genesys Singletenant Configuration Server;d:\gcti\singletenant configuration server\confserv.exe [2008-10-3 5557888]
S3 ConfigServerST_1;Genesys Singletenant Configuration Server (1);d:\gcti\singletenant configuration server76\confserv.exe [2009-1-8 5627100]
S3 ConfigServerST_2;Genesys Singletenant Configuration Server (2);c:\program files\gcti\singletenant configuration server\confserv.exe [2009-1-23 4682952]
S3 ConfigServerST_3;Genesys Singletenant Configuration Server (3);c:\program files\gcti\singletenant configuration server (1)\confserv.exe [2009-5-14 4794956]
S3 DBServer;Genesys DB Server;d:\gcti\db server\multiserver.exe [2008-10-3 2225092]
S3 DBServer_1;Genesys DB Server [OCS_DBServer];d:\gcti\ocs_dbserver\multiserver.exe [2008-10-3 2225092]
S3 DBServer_2;Genesys DB Server [ICON_DBServer];c:\program files\gcti\db server\icon_dbserver\multiserver.exe [2009-4-24 2237572]
S3 DBServer_3;Genesys DB Server [DBServer_72];c:\program files\gcti\db server\dbserver_72\multiserver.exe [2009-5-12 1833216]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 GDesktop;Genesys Desktop [GAD75];c:\gcti\genesysdesktop\gad75\bin\GDesktopDriver.exe [2009-2-11 106496]
S3 GDesktop_1;Genesys Desktop [GAD_76];c:\gcti\genesysdesktop\gad_76\bin\GDesktopDriver.exe [2009-8-5 106496]
S3 GDesktop_2;Genesys Desktop [GAD_latest];c:\gcti\genesysdesktop\gad_latest\bin\GDesktopDriver.exe [2009-8-6 106496]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-30 29744]
S3 ICon;Genesys Interaction Concentrator [ICON_76];c:\program files\gcti\interaction concentrator\icon_76\icon.exe [2009-4-24 6690272]
S3 MsgServer;Genesys Message Server [Message_Server_71];d:\gcti\msgserver\message_server_71\MessageServer.exe [2009-1-8 1846608]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-7 34064]
S3 OCServer;Genesys Outbound Contact Server [OCS76];d:\gcti\ocs76\cm_server.exe [2008-10-3 3670070]
S3 OCServer_1;Genesys Outbound Contact Server [OCS_7610002];d:\gcti\ocserver1\ocs_7610002\cm_server.exe [2008-11-10 3629110]
S3 OCServer_2;Genesys Outbound Contact Server [OC_Server_761];c:\program files\gcti\ocserver\oc_server_761\cm_server.exe [2009-2-18 3670070]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2008-10-2 81832]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 StatServer;Genesys Stat Server [StatServer75];d:\gcti\statserver75\statserv.exe [2008-10-3 3006515]
S3 StatServer_1;Genesys Stat Server [OCS_SS];c:\program files\gcti\stat server\ocs_ss\statserv.exe [2009-2-5 3006515]
S3 TSrvG3;Genesys T-Server for Avaya Communication Manager [TServer_AvayaCM_72];d:\gcti\tsrvg3\tserver_avayacm_72\g3tcp_server.exe [2009-1-8 5131348]
S3 TSrvSIP;Genesys SIP Server [SIPServer_75];d:\gcti\sipserver_75\sip_server.exe [2008-10-3 9686252]
S3 TSrvSIP_1;Genesys SIP Server [SIPServer];c:\program files\gcti\sipserver\sip_server.exe [2008-11-11 9678580]
S3 TSrvSIP_2;Genesys SIP Server [SIP76];"c:\program files\gcti\sip server\sip76\sip_server.exe" -host ismartpa-dbf6a9 -port 2020 -app sip76 -service tsrvsip_2 -l c:\flexlm\license.txt --> c:\program files\gcti\sip server\sip76\sip_server.exe [?]
S3 TSrvSIP_3;Genesys SIP Server [SIP_7500076];c:\program files\gcti\sip server\sip_7500076\sip_server.exe [2009-2-20 9899840]
S3 VoIPSM;Genesys Stream Manager [SM_75];c:\program files\gcti\ipmx\voipsm\sm_75\sm.exe [2009-7-7 4251704]
S3 VoIPSM_1;Genesys Stream Manager [SM_76];c:\program files\gcti\ipmx\sm\sm_76\sm.exe [2009-7-8 4380532]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2008-9-1 104320]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-9-18 1852488]
S4 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
S4 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-8-29 582424]

=============== Created Last 30 ================

2009-09-18 16:28 <DIR> --d----- c:\docume~1\roopal~1.ism\applic~1\Malwarebytes
2009-09-18 16:28 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 16:28 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-18 16:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 16:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-18 15:26 <DIR> --d----- c:\documents and settings\roopali.ismartpanache\DoctorWeb
2009-09-18 14:34 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-09-18 14:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-09-18 14:34 <DIR> --d----- c:\program files\common files\XoftSpySE
2009-09-18 14:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\XoftSpySE
2009-09-18 14:33 <DIR> --d----- c:\program files\XoftSpySE6
2009-09-18 13:08 <DIR> --d----- c:\program files\a-squared Free
2009-09-18 09:32 <DIR> --d----- C:\spoolerlogs
2009-09-01 14:12 <DIR> --dsh--- C:\found.000

==================== Find3M ====================

2009-09-10 16:24 11,383 a------- c:\windows\system32\nvModes.dat
2009-07-30 20:01 81,736 a------- c:\windows\system32\lmdimon8.dll

============= FINISH: 13:11:26.07 ===============

<------------

DDS Attach.txt:

------------>

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/30/2008 2:53:41 PM
System Uptime: 9/23/2009 12:28:05 PM (1 hours ago)

==== Disk Partitions =========================

C: is FIXED (NTFS) - 24 GiB total, 8.027 GiB free.
D: is FIXED (NTFS) - 24 GiB total, 9.849 GiB free.
E: is FIXED (NTFS) - 26 GiB total, 18.588 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&10575340&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&10575340&0&0102
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10228086&REV_02\4&360A6DE&0&00E1
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10228086&REV_02\4&360A6DE&0&00E1
Service: w39n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP193: 9/23/2009 12:32:36 PM - System Checkpoint
RP194: 9/23/2009 12:32:36 PM - System Checkpoint
RP195: 9/23/2009 12:32:36 PM - System Checkpoint
RP196: 9/23/2009 12:32:36 PM - System Checkpoint
RP197: 9/23/2009 12:32:36 PM - System Checkpoint
RP198: 9/23/2009 12:32:36 PM - System Checkpoint
RP199: 9/23/2009 12:32:36 PM - System Checkpoint
RP200: 9/23/2009 12:32:36 PM - System Checkpoint
RP201: 9/23/2009 12:32:36 PM - Installed Microsoft Office Live Meeting 2007
RP202: 9/23/2009 12:32:36 PM - System Checkpoint
RP203: 9/23/2009 12:32:36 PM - System Checkpoint
RP204: 9/23/2009 12:32:36 PM - Installed MoRUN.net Secure Reminder
RP205: 9/23/2009 12:32:36 PM - Installed HideAnyWindow
RP206: 9/23/2009 12:32:36 PM - System Checkpoint
RP207: 9/23/2009 12:32:36 PM - System Checkpoint
RP208: 9/23/2009 12:32:36 PM - System Checkpoint
RP209: 9/23/2009 12:32:36 PM - System Checkpoint
RP210: 9/23/2009 12:32:36 PM - Installed iBall Pro Cam 486
RP211: 9/23/2009 12:32:36 PM - Unsigned driver install
RP212: 9/23/2009 12:32:36 PM - System Checkpoint
RP213: 9/23/2009 12:32:36 PM - System Checkpoint
RP214: 9/23/2009 12:32:36 PM - System Checkpoint
RP215: 9/23/2009 12:32:36 PM - System Checkpoint
RP216: 9/23/2009 12:32:36 PM - System Checkpoint
RP217: 9/23/2009 12:32:36 PM - System Checkpoint
RP218: 9/23/2009 12:32:36 PM - Software Distribution Service 3.0
RP219: 9/23/2009 12:32:36 PM - System Checkpoint
RP220: 9/23/2009 12:32:36 PM - System Checkpoint
RP221: 9/23/2009 12:32:37 PM - System Checkpoint
RP222: 9/23/2009 12:32:37 PM - System Checkpoint
RP223: 9/23/2009 12:32:37 PM - System Checkpoint
RP224: 9/23/2009 12:32:37 PM - System Checkpoint
RP225: 9/23/2009 12:32:37 PM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
a-squared Free 4.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
Apache Tomcat 5.5 (remove only)
Apple Mobile Device Support
Apple Software Update
Avanquest update
Bonjour
Broadcom Gigabit Integrated Controller
Broadcom TPM Driver Installer
BufferChm
CCPulse+
Choice Guard
Compatibility Pack for the 2007 Office system
Configuration Import Wizard
Configuration Manager
Data Doctor Recovery NTFS (Demo)
Dell Embassy Trust Suite by Wave Systems
Dell Mobile Broadband Card Utility
Dell Resource CD
DS Clock
ETS Upgrade
F4100_doccd
FlashGet 1.9.6.1073
FLEXlm License Manager 9.5
Genesys ActiveX Interface for Desktop Toolkit 7.2.000.00
Genesys Agent Desktop .NET Toolkit 7.1.000.06
Genesys CCPulse+ 7.5.000.10
Genesys Configuration Import Wizard 7.5.000.08
Genesys Configuration Manager 7.5.000.11
Genesys DB Server 7.2.000.03 [DBServer_72]
Genesys DB Server 7.5.000.07
Genesys DB Server 7.5.000.07 [OCS_DBServer]
Genesys DB Server 7.5.000.11 [ICON_DBServer]
Genesys Desktop 7.5.004.13 [GAD75]
Genesys Desktop 7.6.100.19 [GAD_76]
Genesys Desktop 7.6.202.02 [GAD_latest]
Genesys Interaction Concentrator 7.6.100.18 [ICON_76]
Genesys Interaction Routing Designer 7.5.002.01
Genesys Message Server 7.1.100.00 [Message_Server_71]
Genesys Multitenant Configuration Server 7.2.000.15
Genesys Outbound Contact Manager 7.6.100.01
Genesys Outbound Contact Server 7.6.100.02 [OCS_7610002]
Genesys Outbound Contact Server 7.6.101.06 [OC_Server_761]
Genesys Outbound Contact Server 7.6.101.06 [OCS76]
Genesys Singletenant Configuration Server 7.1.100.14
Genesys Singletenant Configuration Server 7.2.000.05
Genesys Singletenant Configuration Server 7.5.000.11
Genesys Singletenant Configuration Server 7.6.000.20
Genesys SIP Server 7.5.000.16 [SIPServer]
Genesys SIP Server 7.5.000.22 [SIPServer_75]
Genesys SIP Server 7.5.000.76 [SIP_7500076]
Genesys SIP Server 7.6.000.72 [SIP76]
Genesys Stat Server 7.5.000.21 [StatServer75]
Genesys Stat Server 7.5.000.27 [OCS_SS]
Genesys Stream Manager 7.5.004.02 [SM_75]
Genesys Stream Manager 7.6.002.02 [SM_76]
Genesys T-Server for Avaya Communication Manager 7.2.014.04 [TServer_AvayaCM_72]
GoldWave v5.52
Google Desktop
Google Toolbar for Internet Explorer
HideAnyWindow
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
iBall Pro Cam 486
Intel(R) PROSet/Wireless Software
iTunes
Java DB 10.4.1.3
Java Web Start
Java(TM) 6 Update 12
Java(TM) SE Development Kit 6 Update 12
Junk Mail filter update
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Communicator 2005
Microsoft Office Live Add-in 1.3
Microsoft Office Live Meeting 2007
Microsoft Office Outlook Connector
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2000
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Modem Helper
MoRUN.net Secure Reminder
Mozilla Firefox (1.5)
mPfMgr
mPfWiz
mProSafe
mSSO
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mWMI
mXML
mZConfig
Norton PC Checkup
NTRU Hybrid TSS v2.0.25
NVIDIA Drivers
Outbound Contact Manager
PhotoScape
Picasa 3
PuTTY version 0.60
QuickTime
Reliance Netconnect - Broadband+
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Segoe UI
SigmaTel Audio
Simulator Test Toolkit
Skype 3.0
Skype Plugin Manager
Sony Ericsson PC Suite 3.106.00
Sony Ericsson Themes Creator 4.01
SUPERAntiSpyware Free Edition
TextPad 4.7
UnloadSupport
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VDownloader 0.73
VideoLAN VLC media player 0.8.6
VNC Free Edition 4.1.3
VPN Client
Wave Infrastructure Installer
Wave Support Software
WebEx
WebFldrs XP
Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 4.0.2
WinRAR archiver
WinUndelete
WinZip
Wireshark 1.0.6
X-Lite 3.0
XoftSpySE
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

9/23/2009 12:29:50 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service XoftSpyService with arguments "" in order to run the server: {98C10DD6-B90D-4400-9F33-93CBDFF44DBA}
9/23/2009 12:05:19 PM, error: Service Control Manager [7034] - The Genesys DB Server service terminated unexpectedly. It has done this 1 time(s).
9/23/2009 12:05:15 PM, error: Service Control Manager [7034] - The Genesys Singletenant Configuration Server service terminated unexpectedly. It has done this 1 time(s).
9/22/2009 7:29:23 PM, error: System Error [1003] - Error code 000000d1, parameter1 00000006, parameter2 00000002, parameter3 00000000, parameter4 b19682a9.
9/21/2009 7:25:40 AM, error: NETLOGON [5719] - No Domain Controller is available for domain ISMARTPANACHE due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
9/20/2009 7:34:15 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
9/18/2009 4:28:02 PM, error: Service Control Manager [7034] - The FLEXlm Service 1 service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:44:00 PM, error: NetBT [4321] - The name "ISMARTPANACHE :1d" could not be registered on the Interface with IP address 192.168.100.73. The machine with the IP address 192.168.100.10 did not allow the name to be claimed by this machine.
9/18/2009 3:40:39 PM, error: Service Control Manager [7034] - The VNC Server Version 4 service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:25:39 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/18/2009 3:25:29 PM, error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:25:26 PM, error: Service Control Manager [7034] - The Cisco Systems, Inc. VPN Service service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:25:17 PM, error: Service Control Manager [7034] - The Smart Card service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:25:12 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:24:36 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/18/2009 3:24:25 PM, error: Service Control Manager [7031] - The a-squared Free Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/18/2009 3:20:28 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:20:23 PM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:20:14 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/18/2009 3:20:09 PM, error: Service Control Manager [7034] - The DataSvr2 service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:20:01 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Service service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:19:59 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:19:48 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:11:27 PM, error: NetBT [4321] - The name "ISMARTPANACHE :1d" could not be registered on the Interface with IP address 192.168.100.95. The machine with the IP address 192.168.100.10 did not allow the name to be claimed by this machine.
9/18/2009 3:11:27 PM, error: BROWSER [8009] - The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is GENESYS2.
9/18/2009 3:10:41 PM, error: Service Control Manager [7034] - The NTRU Hybrid TSS v2.0.25 TCS service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:10:32 PM, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:10:30 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless SSO Service service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:10:17 PM, error: Service Control Manager [7034] - The a-squared Free Service service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:09:39 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 3:09:15 PM, error: Service Control Manager [7034] - The AntiPol service terminated unexpectedly. It has done this 1 time(s).
9/18/2009 2:50:54 PM, error: Service Control Manager [7000] - The DS1410D service failed to start due to the following error: The system cannot find the file specified.
9/18/2009 2:48:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/18/2009 11:54:21 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfetdik MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
9/18/2009 11:54:21 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 11:54:21 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 11:54:21 AM, error: Service Control Manager [7001] - The fssfltr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 11:54:21 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 11:54:21 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 11:54:21 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 11:54:21 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 1:57:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/18/2009 1:08:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SASDIFSV SASKUTIL
9/18/2009 1:05:50 PM, error: NETLOGON [5719] - No Domain Controller is available for domain ISMARTPANACHE due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
9/17/2009 4:34:54 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer GENESYS2 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{ECBA180A-E7AD-4CB6-. The master browser is stopping or an election is being forced.
9/16/2009 7:33:16 AM, error: NetBT [4321] - The name "ISMARTPANACHE :1d" could not be registered on the Interface with IP address 192.168.100.95. The machine with the IP address 192.168.100.67 did not allow the name to be claimed by this machine.
9/16/2009 1:30:46 PM, error: Service Control Manager [7034] - The Genesys Desktop [GAD_latest] service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================
<------------

Please let me know if the virus has been removed. If not, how do I do the same and avoid it in future.

Thank you.

Best Regards,

Tina

tinasg
New Member

Date Joined Sep 2008
Total Posts : 12

Posted 9-23-2009 8:49 (GMT +1)

These are the Malware logs when I had scanned it after the first occurance of the virus:

----------->

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

9/20/2009 7:32:18 PM
mbam-log-2009-09-20 (19-32-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 187097
Time elapsed: 21 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{77dc0b63-1535-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0b63-1535-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77dc0b63-1535-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desot.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\desot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\svchast.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
<-----------

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 9-23-2009 10:07 (GMT +1)

Hello tinasg smile

Please download Combofix from:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

tinasg
New Member

Date Joined Sep 2008
Total Posts : 12

Posted 9-23-2009 11:00 (GMT +1)

Hello Touch,

Thank you for the reply. smile

I have followed your steps and here is the output of the combo fix log.txt:

--------->

ComboFix 09-09-22.03 - roopali 09/23/2009 15:08.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1494 [GMT 5.5:30]
Running from: d:\downloads\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 090922-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-3333944634-9177798477-081953790-9714
c:\recycler\S-1-5-21-6899422653-3944002669-903645732-8345
c:\recycler\S-1-5-21-6899422653-3944002669-903645732-8345\czzi.exe
c:\recycler\S-1-5-21-6899422653-3944002669-903645732-8345\Desktop.ini
c:\windows\system32\AutoRun.inf
c:\windows\system32\config\systemprofile\Desktop\Total Security 2009.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Total Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\Total Security\Total Security 2009.lnk
c:\windows\system32\drivers\gasfkyiqqtgenx.sys
c:\windows\system32\drivers\gasfkympcfairx.sys
c:\windows\system32\drivers\gasfkyvkyappbn.sys
c:\windows\system32\drivers\gasfkyxiwwbcve.sys
c:\windows\system32\gasfkybegvxsvv.dat
c:\windows\system32\gasfkybilcxqvj.dll
c:\windows\system32\gasfkyduisyfda.dat
c:\windows\system32\gasfkyethprifx.dll
c:\windows\system32\gasfkygwuwmrxr.dll
c:\windows\system32\gasfkyjctnsbav.dll
c:\windows\system32\gasfkyjeytuxym.dll
c:\windows\system32\gasfkykoexdkoa.dat
c:\windows\system32\gasfkylnqvdlyx.dat
c:\windows\system32\gasfkyropfqihs.dll
c:\windows\system32\gasfkyswrtmoil.dll
c:\windows\system32\gasfkyuhtuxgsk.dll
c:\windows\system32\gasfkywmimrmtn.dat
c:\windows\system32\gasfkyxbtexuwk.dll
c:\windows\system32\gasfkyyiigmoym.dat
c:\windows\wiaservv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkympxmbufq
-------\Legacy_gasfkympxmbufq
-------\Service_gasfkytqltpqlx
-------\Legacy_gasfkytqltpqlx
-------\Service_gasfkyvdymybyr
-------\Legacy_gasfkyvdymybyr

((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-23 08:17 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-23 08:17 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-23 08:17 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-23 08:17 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-23 08:17 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-23 08:17 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-23 08:17 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-23 08:17 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-23 08:16 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-23 08:16 . 2009-09-23 08:16 -------- d-----w- c:\program files\Alwil Software
2009-09-18 10:58 . 2009-09-18 10:58 -------- d-----w- c:\documents and settings\roopali.ISMARTPANACHE\Application Data\Malwarebytes
2009-09-18 10:58 . 2009-09-10 09:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 10:58 . 2009-09-18 10:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 10:58 . 2009-09-18 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-18 10:58 . 2009-09-10 09:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-18 09:56 . 2009-09-20 15:06 -------- d-----w- c:\documents and settings\roopali.ISMARTPANACHE\DoctorWeb
2009-09-18 09:04 . 2009-09-18 09:04 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-09-18 09:04 . 2009-09-18 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-09-18 09:04 . 2009-09-18 09:04 -------- d-----w- c:\program files\Common Files\XoftSpySE
2009-09-18 09:04 . 2009-09-18 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-09-18 09:03 . 2009-09-18 09:04 -------- d-----w- c:\program files\XoftSpySE6
2009-09-18 07:38 . 2009-09-18 09:12 -------- d-----w- c:\program files\a-squared Free
2009-09-18 04:02 . 2009-09-18 04:02 -------- d-----w- C:\spoolerlogs
2009-09-01 08:42 . 2009-09-01 08:42 -------- d-----w- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 09:46 . 2008-09-30 08:42 11383 ----a-w- c:\windows\system32\nvModes.dat
2009-09-23 09:25 . 2008-10-06 05:39 -------- d-----w- c:\program files\FlashGet
2009-09-22 04:35 . 2009-02-26 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-04 13:52 . 2009-05-08 08:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-03 15:02 . 2008-09-30 10:07 -------- d-----w- c:\program files\Microsoft Office Communicator
2009-08-19 06:11 . 2009-08-19 06:11 -------- d-----w- c:\program files\Common Files\snpstd3
2009-08-19 06:11 . 2008-09-30 08:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-17 05:47 . 2009-08-17 05:46 -------- d-----w- c:\program files\Reliance Netconnect - Broadband+
2009-08-15 10:19 . 2009-02-19 02:46 24912 ----a-w- c:\documents and settings\roopali.ISMARTPANACHE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 10:47 . 2009-08-12 10:46 -------- d-----w- c:\program files\HideAnyWindow
2009-08-12 10:40 . 2009-08-12 10:40 -------- d-----w- c:\documents and settings\roopali.ISMARTPANACHE\Application Data\MoRUN.net
2009-08-12 10:40 . 2009-08-12 10:40 -------- d-----w- c:\program files\MoRUN.net
2009-08-06 16:44 . 2009-08-06 16:44 -------- d-----w- c:\program files\GoldWave
2009-08-06 15:07 . 2009-08-06 15:07 -------- d-----w- c:\program files\DIFX
2009-07-30 14:31 . 2009-08-06 15:07 81736 ----a-w- c:\windows\system32\lmdimon8.dll
2008-09-30 10:20 . 2008-09-30 10:20 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-30 09:58 . 2008-09-30 09:58 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-09-30 09:58 . 2008-09-30 09:58 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-09-30 09:58 . 2008-09-30 09:58 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-05 148888]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-01-19 73728]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2008-9-30 69632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 10:58 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Genesys VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Genesys VPN Client.lnk
backup=c:\windows\pss\Genesys VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XoftSpyService"=3 (0x3)
"SeaPort"=2 (0x2)
"iPod Service"=3 (0x3)
"DataSvr2"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"a2free"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/23/2009 1:47 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/23/2009 1:47 PM 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/11/2009 8:53 AM 55152]
R2 Tomcat5;Apache Tomcat;c:\program files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe [1/29/2008 2:10 AM 57344]
S2 FLEXlm Service 1;FLEXlm Service 1;c:\flexlm\lmgrd.exe [9/14/2004 2:44 PM 815104]
S3 ConfigServerMT;Genesys Multitenant Configuration Server;c:\program files\GCTI\Multitenant Configuration Server\confserv.exe [2/18/2009 11:53 AM 4795176]
S3 ConfigServerST;Genesys Singletenant Configuration Server;d:\gcti\Singletenant Configuration Server\confserv.exe [10/3/2008 9:51 AM 5557888]
S3 ConfigServerST_1;Genesys Singletenant Configuration Server (1);d:\gcti\Singletenant Configuration Server76\confserv.exe [1/8/2009 1:10 PM 5627100]
S3 ConfigServerST_2;Genesys Singletenant Configuration Server (2);c:\program files\GCTI\Singletenant Configuration Server\confserv.exe [1/23/2009 2:30 PM 4682952]
S3 ConfigServerST_3;Genesys Singletenant Configuration Server (3);c:\program files\GCTI\Singletenant Configuration Server (1)\confserv.exe [5/14/2009 9:50 PM 4794956]
S3 DBServer;Genesys DB Server;d:\gcti\DB Server\multiserver.exe [10/3/2008 9:50 AM 2225092]
S3 DBServer_1;Genesys DB Server [OCS_DBServer];d:\gcti\OCS_DBServer\multiserver.exe [10/3/2008 10:10 AM 2225092]
S3 DBServer_2;Genesys DB Server [ICON_DBServer];c:\program files\GCTI\DB Server\ICON_DBServer\multiserver.exe [4/24/2009 11:20 AM 2237572]
S3 DBServer_3;Genesys DB Server [DBServer_72];c:\program files\GCTI\DB Server\DBServer_72\multiserver.exe [5/12/2009 9:02 PM 1833216]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 GDesktop;Genesys Desktop [GAD75];c:\gcti\GenesysDesktop\GAD75\bin\GDesktopDriver.exe [2/11/2009 9:46 AM 106496]
S3 GDesktop_1;Genesys Desktop [GAD_76];c:\gcti\GenesysDesktop\GAD_76\bin\GDesktopDriver.exe [8/5/2009 4:16 PM 106496]
S3 GDesktop_2;Genesys Desktop [GAD_latest];c:\gcti\GenesysDesktop\GAD_latest\bin\GDesktopDriver.exe [8/6/2009 10:36 PM 106496]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/30/2008 3:50 PM 29744]
S3 ICon;Genesys Interaction Concentrator [ICON_76];c:\program files\GCTI\Interaction Concentrator\ICON_76\icon.exe [4/24/2009 11:41 AM 6690272]
S3 MsgServer;Genesys Message Server [Message_Server_71];d:\gcti\MsgServer\Message_Server_71\MessageServer.exe [1/8/2009 10:03 AM 1846608]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/7/2007 1:52 AM 34064]
S3 OCServer;Genesys Outbound Contact Server [OCS76];d:\gcti\OCS76\cm_server.exe [10/3/2008 2:08 PM 3670070]
S3 OCServer_1;Genesys Outbound Contact Server [OCS_7610002];d:\gcti\OCServer1\OCS_7610002\cm_server.exe [11/10/2008 9:13 AM 3629110]
S3 OCServer_2;Genesys Outbound Contact Server [OC_Server_761];c:\program files\GCTI\OCServer\OC_Server_761\cm_server.exe [2/18/2009 11:57 AM 3670070]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [10/2/2008 11:19 AM 81832]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]
S3 StatServer;Genesys Stat Server [StatServer75];d:\gcti\StatServer75\statserv.exe [10/3/2008 1:48 PM 3006515]
S3 StatServer_1;Genesys Stat Server [OCS_SS];c:\program files\GCTI\Stat Server\OCS_SS\statserv.exe [2/5/2009 4:23 PM 3006515]
S3 TSrvG3;Genesys T-Server for Avaya Communication Manager [TServer_AvayaCM_72];d:\gcti\TSrvG3\TServer_AvayaCM_72\g3tcp_server.exe [1/8/2009 10:04 AM 5131348]
S3 TSrvSIP;Genesys SIP Server [SIPServer_75];d:\gcti\SIPServer_75\sip_server.exe [10/3/2008 1:42 PM 9686252]
S3 TSrvSIP_1;Genesys SIP Server [SIPServer];c:\program files\GCTI\SIPServer\sip_server.exe [11/11/2008 11:50 AM 9678580]
S3 TSrvSIP_2;Genesys SIP Server [SIP76];"c:\program files\GCTI\SIP Server\SIP76\sip_server.exe" -host ismartpa-dbf6a9 -port 2020 -app SIP76 -service TSrvSIP_2 -l c:\flexlm\License.txt --> c:\program files\GCTI\SIP Server\SIP76\sip_server.exe [?]
S3 TSrvSIP_3;Genesys SIP Server [SIP_7500076];c:\program files\GCTI\SIP Server\SIP_7500076\sip_server.exe [2/20/2009 11:46 AM 9899840]
S3 VoIPSM;Genesys Stream Manager [SM_75];c:\program files\GCTI\IPMX\VoIPSM\SM_75\sm.exe [7/7/2009 9:33 PM 4251704]
S3 VoIPSM_1;Genesys Stream Manager [SM_76];c:\program files\GCTI\IPMX\SM\SM_76\sm.exe [7/8/2009 6:50 PM 4380532]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [9/1/2008 4:41 PM 104320]
S4 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [8/29/2009 2:45 AM 582424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-09-09 c:\windows\Tasks\At1.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 21:50]

2009-08-22 c:\windows\Tasks\At2.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 21:50]

2009-09-18 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-28 21:15]

2009-09-18 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
TCP: {ECBA180A-E7AD-4CB6-BF08-9D25B4933EAE} = 192.168.100.36
DPF: {4D1DA428-3B37-44E6-893A-D3A5BCE0E7E3} - hxxp://panorama.genesyslab.com/callcenter_enu/18382/applets/SiebelAx_HI_Client.cab
FF - ProfilePath - c:\documents and settings\roopali.ISMARTPANACHE\Application Data\Mozilla\Firefox\Profiles\hn52gqb3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-tsnpstd3 - c:\windows\tsnpstd3.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 15:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1196)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\scardsvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-09-23 15:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-23 09:50

Pre-Run: 8,420,032,512 bytes free
Post-Run: 10,710,024,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

287 --- E O F --- 2009-03-17 16:27

<---------

Hope my notebook is clean now.

Please confirm.

Best Regards,

Tina

Post Edited (Touch) : 23-09-2009 11:17:24 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 9-23-2009 12:21 (GMT +1)

Looks clean smile

Click here: http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

to download HJTinstall.exe

Save HJTinstall.exe to your desktop.

Double click on the HJTinstall.exe icon on your desktop.

By default it will install to C:\Program Files\Trend Micro\Hijack This.

Click I accept

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.

Click Save to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Please post hijackthis log and tell how things are running ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

tinasg
New Member

Date Joined Sep 2008
Total Posts : 12

Posted 9-24-2009 3:05 (GMT +1)

Hello Touch,

The system seems to be running fine now. I am a bit worried about few things:

1) Some of my services do not start like MS SQL server.
2) When I clicked on the Windows Firewall from the control panel, it wouldn't start. I had to go to C:\Windows\system32\firewall.cpl to open and make it 'On'

What is the reason for this? Will I face the same issue with other services and how do I avoid it?

Also how do I avoid such spywares and virus in future and how do I clean my USB?

Is there any antivirus program that can detect virus when USB is connected to it?

Please advise.

Here is the HijackThis log:

======>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:57 AM, on 9/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Genesys VPN\Genesys VPN Client 4.8.02\cvpnd.exe
C:\Program Files\Genesys VPN\Genesys VPN Client 4.8.02\vpngui.exe
C:\Program Files\Genesys VPN\Genesys VPN Client 4.8.02\ipseclog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.loksatta.com/daily/dynamic/wfplayer/tdserver.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com.au/s/v/44.10/uploader2.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {4D1DA428-3B37-44E6-893A-D3A5BCE0E7E3} (Siebel High Interactivity Framework) - http://panorama.genesyslab.com/callcenter_enu/18382/applets/SiebelAx_HI_Client.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222781157203
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wiproes.webex.com/client/T26L/support/ieatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ismartpanache.net
O17 - HKLM\Software\..\Telephony: DomainName = ismartpanache.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{48EBEADD-7E14-4415-814C-1F6170845907}: NameServer = 192.168.20.167,192.168.20.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECBA180A-E7AD-4CB6-BF08-9D25B4933EAE}: NameServer = 192.168.100.36
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ismartpanache.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ismartpanache.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Genesys Multitenant Configuration Server (ConfigServerMT) - Genesys Telecomm. Labs - C:\Program Files\GCTI\Multitenant Configuration Server\confserv.exe
O23 - Service: Genesys Singletenant Configuration Server (ConfigServerST) - Genesys Telecomm. Labs - D:\GCTI\Singletenant Configuration Server\confserv.exe
O23 - Service: Genesys Singletenant Configuration Server (1) (ConfigServerST_1) - Genesys Telecomm. Labs - D:\GCTI\Singletenant Configuration Server76\confserv.exe
O23 - Service: Genesys Singletenant Configuration Server (2) (ConfigServerST_2) - Genesys Telecomm. Labs - C:\Program Files\GCTI\Singletenant Configuration Server\confserv.exe
O23 - Service: Genesys Singletenant Configuration Server (3) (ConfigServerST_3) - Genesys Telecomm. Labs - C:\Program Files\GCTI\Singletenant Configuration Server (1)\confserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Genesys VPN\Genesys VPN Client 4.8.02\cvpnd.exe
O23 - Service: Genesys DB Server (DBServer) - Genesys Telecommunications Laboratories, Inc. - D:\GCTI\DB Server\multiserver.exe
O23 - Service: Genesys DB Server [OCS_DBServer] (DBServer_1) - Genesys Telecommunications Laboratories, Inc. - D:\GCTI\OCS_DBServer\multiserver.exe
O23 - Service: Genesys DB Server [ICON_DBServer] (DBServer_2) - Genesys Telecommunications Laboratories, Inc. - C:\Program Files\GCTI\DB Server\ICON_DBServer\multiserver.exe
O23 - Service: Genesys DB Server [DBServer_72] (DBServer_3) - Genesys Telecommunications Laboratories, Inc. - C:\Program Files\GCTI\DB Server\DBServer_72\multiserver.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXlm Service 1 - Macrovision Corporation - C:\FLEXlm\lmgrd.exe
O23 - Service: Genesys Desktop [GAD75] (GDesktop) - Genesys Telecommunication Laboratories Inc. - C:\GCTI\GenesysDesktop\GAD75\bin\GDesktopDriver.exe
O23 - Service: Genesys Desktop [GAD_76] (GDesktop_1) - Genesys Telecommunication Laboratories Inc. - C:\GCTI\GenesysDesktop\GAD_76\bin\GDesktopDriver.exe
O23 - Service: Genesys Desktop [GAD_latest] (GDesktop_2) - Genesys Telecommunication Laboratories Inc. - C:\GCTI\GenesysDesktop\GAD_latest\bin\GDesktopDriver.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Genesys Interaction Concentrator [ICON_76] (ICon) - Genesys Telecommunications Laboratories, Inc. - C:\Program Files\GCTI\Interaction Concentrator\ICON_76\icon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Genesys Message Server [Message_Server_71] (MsgServer) - Genesys Telecommunications Laboratories, Inc. - D:\GCTI\MsgServer\Message_Server_71\MessageServer.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Genesys Outbound Contact Server [OCS76] (OCServer) - Genesys Telecommunications Laboratories, Inc. - D:\GCTI\OCS76\cm_server.exe
O23 - Service: Genesys Outbound Contact Server [OCS_7610002] (OCServer_1) - Genesys Telecommunications Laboratories, Inc. - D:\GCTI\OCServer1\OCS_7610002\cm_server.exe
O23 - Service: Genesys Outbound Contact Server [OC_Server_761] (OCServer_2) - Genesys Telecommunications Laboratories, Inc. - C:\Program Files\GCTI\OCServer\OC_Server_761\cm_server.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Genesys Stat Server [StatServer75] (StatServer) - Genesys - D:\GCTI\StatServer75\statserv.exe
O23 - Service: Genesys Stat Server [OCS_SS] (StatServer_1) - Genesys - C:\Program Files\GCTI\Stat Server\OCS_SS\statserv.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
O23 - Service: Genesys T-Server for Avaya Communication Manager [TServer_AvayaCM_72] (TSrvG3) - Unknown owner - D:\GCTI\TSrvG3\TServer_AvayaCM_72\g3tcp_server.exe
O23 - Service: Genesys SIP Server [SIPServer_75] (TSrvSIP) - Unknown owner - D:\GCTI\SIPServer_75\sip_server.exe
O23 - Service: Genesys SIP Server [SIPServer] (TSrvSIP_1) - Unknown owner - C:\Program Files\GCTI\SIPServer\sip_server.exe
O23 - Service: Genesys SIP Server [SIP76] (TSrvSIP_2) - Unknown owner - C:\Program Files\GCTI\SIP Server\SIP76\sip_server.exe (file missing)
O23 - Service: Genesys SIP Server [SIP_7500076] (TSrvSIP_3) - Unknown owner - C:\Program Files\GCTI\SIP Server\SIP_7500076\sip_server.exe
O23 - Service: Genesys Stream Manager [SM_75] (VoIPSM) - Genesys Telecommunications Laboratories, Inc. - C:\Program Files\GCTI\IPMX\VoIPSM\SM_75\sm.exe
O23 - Service: Genesys Stream Manager [SM_76] (VoIPSM_1) - Genesys Telecommunications Laboratories, Inc. - C:\Program Files\GCTI\IPMX\SM\SM_76\sm.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 17245 bytes

<======

Many thanks!

Best Regards,
Roopali

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 9-24-2009 6:08 (GMT +1)

I don´t know much about McAfee, but if it have a Firewall installed, it will deactivate Windows firewall.

Post new hjackthis log, and do not change font or fontsize, as it is almost impossible (for me) to read.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

tinasg
New Member

Date Joined Sep 2008
Total Posts : 12

Posted 9-24-2009 8:12 (GMT +1)

Here are the logs that I have already posted above:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:57 AM, on 9/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Genesys VPN\Genesys VPN Client 4.8.02\cvpnd.exe
C:\Program Files\Genesys VPN\Genesys VPN Client 4.8.02\vpngui.exe
C:\Program Files\Genesys VPN\Genesys VPN Client 4.8.02\ipseclog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--
End of file - 17245 bytes

Also I have the following queries:

1) Can you tell the source of this virus/spyware? Is it the USB (i had given it to some one to use) or the network?
2) Is there a way to identify the source?
3) How can I avoid it or any such virus in future? I mean which is the best protection software or how do I take care of my notebook?
4) How do I avoid the spywares through internet sites?

Thanks.

tina

Post Edited (tinasg) : 24-09-2009 07:15:19 GMT

tinasg
New Member

Date Joined Sep 2008
Total Posts : 12

Posted 9-25-2009 7:10 (GMT +1)

Hello,

I noticed a member facing the same issue like me in the thread http://forum.bullguard.com/forum/10/Google-and-task-manager-not-wo_77138.html

That is after running combo fix, the SQL service is not runing.

Can you please let me know how do I resolve this as it is important for my daily office work.

Many thanks.

Regards,
Roopali

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 9-25-2009 7:33 (GMT +1)

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

tinasg
New Member

Date Joined Sep 2008
Total Posts : 12

Posted 10-1-2009 3:36 (GMT +1)

Thanks for the info.

Can you please answer my following queries:

1) Can you tell the source of this virus/spyware? Is it the USB (i had given it to some one to use) or the network?
2) Is there a way to identify the source?
3) How can I avoid it or any such virus in future? I mean which is the best protection software or how do I take care of my notebook?
4) How do I avoid the spywares through internet sites?

Thanks.

Best Regards,
tina

Forum Information

Currently it is Saturday, November 21, 2009 5:47 AM (GMT +1)
There are a total of 73.023 posts in 17.111 threads.
In the last 3 days there were 9 new threads and 75 reply posts. View Active Threads