Is it heap41a virus

View previous topic View next topic Go down

Solved Is it heap41a virus

Post by pratima mishra on 4th February 2009, 9:32 am

I am posting log file of HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:10 PM, on 2/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\STacSV.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
C:\heap41a\svchost.exe
D:\Program Files\Softwin\BitDefender10\bdagent.exe
D:\WINDOWS\sttray.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\svchost.exe
D:\Documents and Settings\Administrator\Desktop\Hijack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: (no name) - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - (no file)
R3 - URLSearchHook: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\PROGRA~1\REDIFF~2\tbu8\redifftoolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTBPos00 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - D:\PROGRA~1\REDIFF~2\tbu8\REDIFF~1.DLL
O3 - Toolbar: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\PROGRA~1\REDIFF~2\tbu8\redifftoolbar.dll
O4 - HKLM\..\Run: [BDMCon] D:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "D:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-19\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\PROGRA~1\REDIFF~2\tbu8\redifftoolbar.dll
O9 - Extra 'Tools' menuitem: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\PROGRA~1\REDIFF~2\tbu8\redifftoolbar.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - D:\WINDOWS\system32\STacSV.exe

--
End of file - 5239 bytes


There is also a folder in C drive with name heap41a, containing 2 files:
std.txt and svchost.exe

contents of std.txt are :

; IMPORTANT INFO ABOUT GETTING STARTED: Lines that start with a
; semicolon, such as this one, are comments. They are not executed.

; This script has a special filename and path because it is automatically
; launched when you run the program directly. Also, any text file whose
; name ends in .ahk is associated with the program, which means that it
; can be launched simply by double-clicking it. You can have as many .ahk
; files as you want, located in any folder. You can also run more than
; one ahk file simultaneously and each will get its own tray icon.

; Please read the QUICK-START TUTORIAL near the top of the help file.
; It explains how to perform common automation tasks such as sending
; keystrokes and mouse clicks. It also explains how to use hotkeys.

; SAMPLE HOTKEYS: Below are two sample hotkeys. The first is Win+Z and it
; launches a web site in the default browser. The second is Control+Alt+N
; and it launches a new Notepad window (or activates an existing one). To
; try out these hotkeys, run AutoHotkey again, which will load this file.

#z::Run [You must be registered and logged in to see this link.]

^!n::
IfWinExist Untitled - Notepad
WinActivate
else
Run Notepad
return


; Note: From now on whenever you run AutoHotkey directly, this script
; will be loaded. So feel free to customize it to suit your needs.



What to do now?


Last edited by pratima mishra on 4th February 2009, 10:19 am; edited 3 times in total

pratima mishra
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-02-04
OS OS : windows XP
Points Points : 28650
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by pratima mishra on 4th February 2009, 9:39 am

My antivirus icon from system tray is removed by this virus/trojan.
XP is not making thumbnail of picture files (jpg etc) files. When I am trying to open pictures by using "windows picture and fax viewer", a message is coming on screen "Error loading D:\windows\system32\shimgvw.dll Invalid access to memory location".....Where D is my windows drive(boot drive).

tryting to copy paste anything brings my system to hang

pratima mishra
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-02-04
OS OS : windows XP
Points Points : 28650
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by Belahzur on 4th February 2009, 2:28 pm


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - (no file)
    O4 - HKLM\..\Policies\Explorer\Run: [status] present
    O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
    O4 - HKUS\S-1-5-19\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by pratima mishra on 8th February 2009, 11:58 am

log of Malware bytes

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2/8/2009 5:20:22 PM
mbam-log-2009-02-08 (17-20-22).txt

Scan type: Quick Scan
Objects scanned: 54473
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xbtb00001.ietoolbar (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{b36cb30a-6ed9-4c62-9a8a-7de9fa234608} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bbbe1c1a-89f7-4af6-abd1-f8fbcfa47408} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bbbe1c1a-89f7-4af6-abd1-f8fbcfa47408} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bbbe1c1a-89f7-4af6-abd1-f8fbcfa47408} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xbtb00001.ietoolbar.1 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xbtb00001.xbtb00001 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xbtb00001.xbtb00001.1 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Program Files\Rediff Toolbar\tbu8\redifftoolbar.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\msnsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

What to do next?

pratima mishra
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-02-04
OS OS : windows XP
Points Points : 28650
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by pratima mishra on 8th February 2009, 3:19 pm

Please tell me, what should I do next?

pratima mishra
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-02-04
OS OS : windows XP
Points Points : 28650
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by Belahzur on 8th February 2009, 3:21 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by pratima mishra on 8th February 2009, 3:28 pm

Here is DDS.txt :


DDS (Ver_09-02-01.01) - NTFSx86
Run by Pratima at 20:48:12.73 on Sun 02/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.653 [GMT 0:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\STacSV.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Softwin\BitDefender10\bdagent.exe
D:\WINDOWS\sttray.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Microsoft Office\Office12\WINWORD.EXE
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Documents and Settings\Pratima\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~1\office12\GRA8E1~1.DLL
TB: {12F02779-6D88-4958-8AD3-83C12D86ADC7} - No File
uRun: [Yahoo! Pager] "d:\program files\yahoo!\messenger\ypager.exe" -quiet
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "d:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
mRun: [BDMCon] d:\progra~1\softwin\bitdef~1\bdmcon.exe
mRun: [BDAgent] "d:\program files\softwin\bitdefender10\bdagent.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IgfxTray] d:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] d:\windows\system32\hkcmd.exe
mRun: [Persistence] d:\windows\system32\igfxpers.exe
mRun: [RoxioEngineUtility] "d:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "d:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [googletalk] d:\program files\google\google talk\googletalk.exe /autostart
mRun: [NeroFilterCheck] d:\program files\common files\nero\lib\NeroCheck.exe
mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - d:\progra~1\yahoo!\messen~1\YPager.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\progra~1\micros~1\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\pratima\applic~1\mozilla\firefox\profiles\uybr3wdc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
d:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);

============= SERVICES / DRIVERS ===============

R3 abp470n5;abp470n5;\??\d:\windows\system32\drivers\jomifn.sys --> d:\windows\system32\drivers\jomifn.sys [?]
S2 hifka;Monitor Windows;d:\windows\system32\svchost.exe -k netsvcs [2006-1-13 14336]

=============== Created Last 30 ================

2009-02-08 17:39 32,592 a------- d:\windows\system32\msonpmon.dll
2009-02-08 17:35 --d----- d:\windows\SHELLNEW
2009-02-08 17:13 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-02-08 17:13 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 17:13 --d----- d:\program files\Malwarebytes' Anti-Malware
2009-02-08 17:13 --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-08 17:06 --d----- d:\program files\Trend Micro
2009-02-04 16:17 --d----- d:\program files\Uniblue
2009-02-04 16:17 --d----- d:\docume~1\alluse~1\applic~1\DriverScanner
2009-02-04 16:13 -cd-h--- d:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-02-04 15:50 --d-h--- d:\windows\system32\GroupPolicy
2009-02-04 15:07 69 a------- d:\windows\NeroDigital.ini
2009-02-04 14:23 --d----- d:\program files\Nero
2009-02-04 14:23 --d----- d:\docume~1\alluse~1\applic~1\Nero
2009-02-03 01:02 --ds---- d:\documents and settings\pratima\UserData
2009-02-02 19:40 --d----- d:\documents and settings\Pratima
2009-01-30 17:27 --d----- d:\program files\Roxio
2009-01-30 17:15 --d----- d:\program files\Rediff Toolbar
2009-01-30 17:15 --d----- d:\program files\Rediff Bol
2009-01-30 17:15 --d----- d:\windows\system32\LogFiles
2009-01-30 17:11 2,309 a------- d:\windows\mozver.dat
2009-01-29 23:35 --d----- D:\My Music
2009-01-29 22:48 172,032 a----r-- d:\windows\system32\igfxres.dll
2009-01-29 16:19 --d----- d:\program files\Yahoo!
2009-01-29 16:07 171,776 a------- d:\windows\system32\drivers\kmixer.sys
2009-01-29 16:07 52,864 a------- d:\windows\system32\drivers\DMusic.sys
2009-01-29 16:07 54,272 a------- d:\windows\system32\drivers\swmidi.sys
2009-01-29 16:07 142,464 a------- d:\windows\system32\drivers\aec.sys
2009-01-29 16:07 6,400 a------- d:\windows\system32\drivers\splitter.sys
2009-01-29 16:04 --d----- d:\program files\Realtek
2009-01-29 16:02 2,944 a------- d:\windows\system32\drivers\drmkaud.sys
2009-01-29 16:02 60,800 a------- d:\windows\system32\drivers\sysaudio.sys
2009-01-29 16:02 7,552 a------- d:\windows\system32\drivers\MSKSSRV.sys
2009-01-29 16:02 4,992 a------- d:\windows\system32\drivers\MSPQM.sys
2009-01-29 16:02 5,376 a------- d:\windows\system32\drivers\MSPCLOCK.sys
2009-01-29 16:01 5,398,528 a----r-- d:\windows\system32\IDTSG.cpl
2009-01-29 16:01 2,187,264 a----r-- d:\windows\system32\stlang.dll
2009-01-29 16:01 475,136 a----r-- d:\windows\sttray.exe
2009-01-29 16:01 94,208 a----r-- d:\windows\system32\stacsv.exe
2009-01-29 16:01 145,920 a------- d:\windows\system32\drivers\portcls.sys
2009-01-29 16:01 130,048 a------- d:\windows\system32\ksproxy.ax
2009-01-29 16:01 60,288 a------- d:\windows\system32\drivers\drmk.sys
2009-01-29 16:01 4,096 a------- d:\windows\system32\ksuser.dll
2009-01-29 16:00 144,896 a----r-- d:\windows\system32\staco.dll
2009-01-29 16:00 1,222,840 a----r-- d:\windows\system32\drivers\sthda.sys
2009-01-29 16:00 270,336 a----r-- d:\windows\system32\stacapi.dll
2009-01-29 16:00 --d----- d:\program files\SigmaTel
2009-01-29 15:58 204,800 a----r-- d:\windows\system32\igfxCoIn_v4785.dll
2009-01-29 15:58 176,128 a----r-- d:\windows\system32\igfxrsky.lrc
2009-01-29 15:58 172,032 a----r-- d:\windows\system32\igfxrslv.lrc
2009-01-29 15:58 5,700,096 a----r-- d:\windows\system32\drivers\igxpmp32.sys
2009-01-29 15:58 2,555,904 a------- d:\windows\system32\igxpdx32.dll
2009-01-29 15:58 1,612,576 a------- d:\windows\system32\igxpdv32.dll
2009-01-29 15:58 149,504 a------- d:\windows\system32\igxpgd32.dll
2009-01-29 15:58 57,344 a------- d:\windows\system32\igxprd32.dll
2009-01-29 15:58 --d----- d:\windows\system32\ReinstallBackups
2009-01-29 15:57 319,456 a----r-- d:\windows\system32\difxapi.dll
2009-01-29 15:57 121,232 a----r-- d:\windows\system32\IScrNBR.bmp
2009-01-29 15:57 121,232 a----r-- d:\windows\system32\IScrNB.bmp
2009-01-29 15:57 --d----- d:\windows\system32\Lang
2009-01-29 15:57 393,216 a----r-- d:\windows\system32\igxpun.exe
2009-01-29 15:57 --d----- D:\Intel
2009-01-29 15:55 --d----- d:\windows\system32\Tools
2009-01-29 15:53 4,864 a----r-- d:\windows\system32\drivers\PortIo.sys
2009-01-29 15:30 81,984 a------- d:\windows\system32\bdod.bin
2009-01-29 15:26 --d----- d:\program files\Softwin
2009-01-29 15:26 --d----- d:\docume~1\alluse~1\applic~1\BitDefender
2009-01-29 15:26 --d----- d:\program files\common files\Softwin
2009-01-29 15:09 --ds---- d:\windows\system32\Microsoft
2009-01-29 15:09 8,192 a------- d:\windows\REGLOCS.OLD
2009-01-29 14:54 2,577 a------- d:\windows\system32\CONFIG.NT
2009-01-29 14:54 0 a------- d:\windows\control.ini
2009-01-29 14:54 23,392 a------- d:\windows\system32\nscompat.tlb
2009-01-29 14:54 16,832 a------- d:\windows\system32\amcompat.tlb
2009-01-29 14:54 316,640 a------- d:\windows\WMSysPr9.prx
2009-01-29 14:53 --dsh--- d:\documents and settings\all users\DRM
2009-01-29 14:53 488 a---hr-- d:\windows\system32\WindowsLogon.manifest
2009-01-29 14:53 488 a---hr-- d:\windows\system32\logonui.exe.manifest
2009-01-29 14:53 --ds---- d:\windows\Downloaded Program Files
2009-01-29 14:53 --d--r-- d:\windows\Offline Web Pages
2009-01-29 14:53 749 a---hr-- d:\windows\WindowsShell.Manifest
2009-01-29 14:53 749 a---hr-- d:\windows\system32\wuaucpl.cpl.manifest
2009-01-29 14:53 749 a---hr-- d:\windows\system32\sapi.cpl.manifest
2009-01-29 14:53 749 a---hr-- d:\windows\system32\nwc.cpl.manifest
2009-01-29 14:53 749 a---hr-- d:\windows\system32\ncpa.cpl.manifest
2009-01-29 14:53 749 a---hr-- d:\windows\system32\cdplayer.exe.manifest
2009-01-29 14:53 --d-h--- d:\program files\WindowsUpdate
2009-01-29 14:53 --d----- d:\program files\Online Services
2009-01-29 14:53 --d----- d:\windows\system32\DirectX
2009-01-29 14:52 --d----- d:\program files\common files\MSSoap
2009-01-29 14:51 --d----- d:\program files\Unlocker
2009-01-29 14:48 --d----- d:\program files\MSN Messenger
2009-01-29 14:47 --d----- d:\program files\Windows NT
2009-01-29 14:43 --d----- d:\program files\common files\ODBC
2009-01-29 14:43 --d--r-- d:\documents and settings\all users\Documents

==================== Find3M ====================

2009-02-04 16:09 86,327 a------- d:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-29 16:04 315,392 a------- d:\windows\HideWin.exe
2009-01-29 14:51 21,640 a------- d:\windows\system32\emptyregdb.dat
2006-01-13 01:58 164,228 a--shr-- d:\windows\system32\ffofhj.dll

============= FINISH: 20:48:20.03 ===============


Now what?

pratima mishra
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-02-04
OS OS : windows XP
Points Points : 28650
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by Belahzur on 8th February 2009, 3:33 pm


  • Download combofix from here [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it. See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by pratima mishra on 8th February 2009, 4:16 pm

Here the text of combofix in two parts as it is showing the message is too big


ComboFix 09-02-07.01 - Pratima 2009-02-08 21:29:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.683 [GMT 0:00]
Running from: d:\documents and settings\Pratima\Desktop\Combo-Fix.exe
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\autorun.inf
H:\cayiah.cmd
H:\tdgscr.pif

.
((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-08 17:39 . 2006-10-26 19:56 32,592 --a------ d:\windows\system32\msonpmon.dll
2009-02-08 17:38 . 2009-02-08 17:38 d-------- d:\program files\MSBuild
2009-02-08 17:38 . 2009-02-08 17:38 d-------- d:\program files\Microsoft Works
2009-02-08 17:35 . 2009-02-08 17:38 d-------- d:\windows\SHELLNEW
2009-02-08 17:34 . 2009-02-08 17:34 dr-h----- D:\MSOCache
2009-02-08 17:34 . 2009-02-08 17:39 d-------- d:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-08 17:13 . 2009-02-08 17:13 d-------- d:\program files\Malwarebytes' Anti-Malware
2009-02-08 17:13 . 2009-02-08 17:13 d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-08 17:13 . 2009-02-08 17:13 d-------- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-08 17:13 . 2009-01-14 16:11 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 17:13 . 2009-01-14 16:11 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2009-02-08 17:06 . 2009-02-08 17:06 d-------- d:\program files\Trend Micro
2009-02-04 16:17 . 2009-02-04 16:17 d-------- d:\program files\Uniblue
2009-02-04 16:17 . 2009-02-04 16:20 d-------- d:\documents and settings\All Users\Application Data\DriverScanner
2009-02-04 16:17 . 2009-02-04 16:17 d-------- d:\documents and settings\Administrator\Application Data\Uniblue
2009-02-04 16:13 . 2009-02-04 16:17 d--h-c--- d:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-02-04 15:50 . 2009-02-04 15:50 d--h----- d:\windows\system32\GroupPolicy
2009-02-04 15:07 . 2009-02-08 17:35 69 --a------ d:\windows\NeroDigital.ini
2009-02-04 14:29 . 2009-02-04 14:29 d-------- d:\documents and settings\Administrator\Application Data\Nero
2009-02-04 14:23 . 2009-02-04 14:23 d-------- d:\program files\Nero
2009-02-04 14:23 . 2009-02-04 14:25 d-------- d:\program files\Common Files\Nero
2009-02-04 14:23 . 2009-02-04 14:23 d-------- d:\documents and settings\All Users\Application Data\Nero
2009-02-03 01:02 . 2009-02-03 01:02 d---s---- d:\documents and settings\Pratima\UserData
2009-02-02 19:40 . 2009-02-08 21:24 d-------- d:\documents and settings\Pratima
2009-02-02 19:31 . 2009-02-02 19:31 d---s---- d:\documents and settings\Alok\UserData
2009-01-31 08:37 . 2009-02-07 23:00 d-------- d:\documents and settings\Alok
2009-01-30 20:34 . 2009-01-30 20:34 d-------- d:\program files\Google
2009-01-30 17:27 . 2009-01-30 17:27 d-------- d:\program files\Roxio
2009-01-30 17:27 . 2009-01-30 17:27 d-------- d:\program files\Common Files\Roxio Shared
2009-01-30 17:18 . 2009-01-30 17:18 d-------- d:\documents and settings\Administrator\Application Data\Rediff.com
2009-01-30 17:15 . 2009-01-30 17:15 d-------- d:\windows\system32\LogFiles
2009-01-30 17:15 . 2009-01-30 17:15 d-------- d:\program files\Rediff Toolbar
2009-01-30 17:15 . 2009-01-30 17:15 d-------- d:\program files\Rediff Bol
2009-01-30 17:11 . 2009-01-30 17:11 2,309 --a------ d:\windows\mozver.dat
2009-01-30 17:11 . 2009-01-30 17:11 0 --a------ d:\windows\nsreg.dat
2009-01-29 23:35 . 2009-01-29 23:35 d-------- D:\My Music
2009-01-29 23:15 . 2009-01-29 23:15 d---s---- d:\documents and settings\Anurag\UserData
2009-01-29 22:48 . 2009-02-08 17:01 d-------- d:\documents and settings\Anurag
2009-01-29 22:48 . 2007-02-26 02:33 172,032 -ra------ d:\windows\system32\igfxres.dll
2009-01-29 16:19 . 2009-01-29 16:19 d-------- d:\program files\Yahoo!
2009-01-29 16:07 . 2006-01-06 15:53 171,776 --a------ d:\windows\system32\drivers\kmixer.sys
2009-01-29 16:07 . 2006-01-06 15:53 142,464 --a------ d:\windows\system32\drivers\aec.sys
2009-01-29 16:07 . 2006-01-06 15:53 54,272 --a------ d:\windows\system32\drivers\swmidi.sys
2009-01-29 16:07 . 2006-01-06 15:53 52,864 --a------ d:\windows\system32\drivers\DMusic.sys
2009-01-29 16:07 . 2006-01-06 15:53 6,400 --a------ d:\windows\system32\drivers\splitter.sys
2009-01-29 16:04 . 2009-01-29 16:04 d-------- d:\program files\Realtek
2009-01-29 16:02 . 2006-01-06 15:53 60,800 --a------ d:\windows\system32\drivers\sysaudio.sys
2009-01-29 16:02 . 2006-01-06 15:53 7,552 --a------ d:\windows\system32\drivers\MSKSSRV.sys
2009-01-29 16:02 . 2006-01-06 15:53 5,376 --a------ d:\windows\system32\drivers\MSPCLOCK.sys
2009-01-29 16:02 . 2006-01-06 15:53 4,992 --a------ d:\windows\system32\drivers\MSPQM.sys
2009-01-29 16:02 . 2006-01-06 15:53 2,944 --a------ d:\windows\system32\drivers\drmkaud.sys
2009-01-29 16:01 . 2007-05-07 03:15 5,398,528 -ra------ d:\windows\system32\IDTSG.cpl
2009-01-29 16:01 . 2007-05-06 09:10 2,187,264 -ra------ d:\windows\system32\stlang.dll
2009-01-29 16:01 . 2007-05-06 09:10 475,136 -ra------ d:\windows\sttray.exe
2009-01-29 16:01 . 2006-01-06 15:53 145,920 --a------ d:\windows\system32\drivers\portcls.sys
2009-01-29 16:01 . 2006-01-06 15:53 130,048 --a------ d:\windows\system32\ksproxy.ax
2009-01-29 16:01 . 2007-05-06 09:11 94,208 -ra------ d:\windows\system32\stacsv.exe
2009-01-29 16:01 . 2006-01-06 15:53 60,288 --a------ d:\windows\system32\drivers\drmk.sys
2009-01-29 16:01 . 2006-01-06 15:53 4,096 --a------ d:\windows\system32\ksuser.dll
2009-01-29 16:00 . 2009-01-29 16:00 d-------- d:\program files\SigmaTel
2009-01-29 16:00 . 2009-01-29 16:04 d--h----- d:\program files\InstallShield Installation Information
2009-01-29 16:00 . 2007-05-06 09:12 1,222,840 -ra------ d:\windows\system32\drivers\sthda.sys
2009-01-29 16:00 . 2007-05-06 09:11 270,336 -ra------ d:\windows\system32\stacapi.dll
2009-01-29 16:00 . 2007-05-06 09:11 144,896 -ra------ d:\windows\system32\staco.dll
2009-01-29 15:58 . 2007-02-26 03:59 5,700,096 -ra------ d:\windows\system32\drivers\igxpmp32.sys
2009-01-29 15:58 . 2007-02-26 03:59 2,555,904 --a------ d:\windows\system32\igxpdx32.dll
2009-01-29 15:58 . 2007-02-26 03:58 1,612,576 --a------ d:\windows\system32\igxpdv32.dll
2009-01-29 15:58 . 2007-02-26 04:34 204,800 -ra------ d:\windows\system32\igfxCoIn_v4785.dll
2009-01-29 15:58 . 2007-02-26 02:36 176,128 -ra------ d:\windows\system32\igfxrsky.lrc
2009-01-29 15:58 . 2007-02-26 02:36 172,032 -ra------ d:\windows\system32\igfxrslv.lrc
2009-01-29 15:58 . 2007-02-26 03:58 149,504 --a------ d:\windows\system32\igxpgd32.dll
2009-01-29 15:58 . 2007-02-26 03:58 57,344 --a------ d:\windows\system32\igxprd32.dll
2009-01-29 15:57 . 2009-01-29 15:57 d-------- d:\windows\system32\Lang
2009-01-29 15:57 . 2009-01-29 15:57 d----c--- d:\windows\system32\DRVSTORE
2009-01-29 15:57 . 2009-01-29 15:57 d-------- d:\program files\Intel
2009-01-29 15:57 . 2009-01-29 15:57 d-------- D:\Intel
2009-01-29 15:57 . 2007-03-02 06:23 393,216 -ra------ d:\windows\system32\igxpun.exe
2009-01-29 15:57 . 2006-11-10 00:25 319,456 -ra------ d:\windows\system32\difxapi.dll
2009-01-29 15:57 . 2006-01-23 02:29 121,232 -ra------ d:\windows\system32\IScrNBR.bmp
2009-01-29 15:57 . 2006-01-23 02:29 121,232 -ra------ d:\windows\system32\IScrNB.bmp
2009-01-29 15:55 . 2009-01-29 15:56 d-------- d:\windows\system32\Tools
2009-01-29 15:55 . 2009-01-30 17:27 d-------- d:\program files\Common Files\InstallShield
2009-01-29 15:53 . 2006-12-26 12:31 4,864 -ra------ d:\windows\system32\drivers\PortIo.sys
2009-01-29 15:30 . 2009-01-30 17:15 81,984 --a------ d:\windows\system32\bdod.bin
2009-01-29 15:26 . 2009-01-29 15:26 d-------- d:\program files\Common Files\Softwin
2009-01-29 15:26 . 2009-02-08 21:24 d-------- d:\documents and settings\All Users\Application Data\BitDefender
2009-01-29 15:09 . 2009-01-29 15:09 d---s---- d:\windows\system32\Microsoft
2009-01-29 15:09 . 2009-01-29 15:09 d--hs---- d:\documents and settings\LocalService
2009-01-29 15:09 . 2009-02-08 17:53 d-------- d:\documents and settings\Administrator
2009-01-29 15:09 . 2009-01-29 15:09 8,192 --a------ d:\windows\REGLOCS.OLD
2009-01-29 15:08 . 2009-01-29 15:08 d--hs---- d:\documents and settings\NetworkService

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

pratima mishra
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-02-04
OS OS : windows XP
Points Points : 28650
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by pratima mishra on 8th February 2009, 4:16 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 20:54 --------- d-----w d:\program files\Common Files\Adobe
2009-01-29 16:04 315,392 ----a-w d:\windows\HideWin.exe
2009-01-29 14:51 --------- d-----w d:\program files\Unlocker
2009-01-29 14:48 --------- d-----w d:\program files\MSN Messenger
2009-01-30 17:11 61,038 ----a-w d:\program files\mozilla firefox\components\jar50.dll
2009-01-30 17:11 49,256 ----a-w d:\program files\mozilla firefox\components\jsd3250.dll
2009-01-30 17:11 166,000 ----a-w d:\program files\mozilla firefox\components\xpinstal.dll
2006-01-13 01:58 164,228 --sha-r d:\windows\system32\ffofhj.dll
.

------- Sigcheck -------

2006-01-13 02:03 360448 2a4818aea80acd2c95d7d92d2f3155f8 d:\windows\system32\drivers\tcpip.sys

2006-01-13 01:46 1075200 2deaca71a7fd77205f59d48d76b2f565 d:\windows\explorer.exe

2006-01-13 01:45 193816 0e6e611ff38eaa736d76a490df6558f8 d:\windows\system32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="d:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-19 3158016]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-15 202024]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2006-01-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2007-02-26 204800]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2007-02-26 229376]
"Persistence"="d:\windows\system32\igfxpers.exe" [2007-02-26 200704]
"RoxioEngineUtility"="d:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 135168]
"RoxioDragToDisc"="d:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-01-09 937984]
"googletalk"="d:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3817472]
"NeroFilterCheck"="d:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 226864]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SigmatelSysTrayApp"="sttray.exe" [2007-05-06 d:\windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="d:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\WINDOWS\\system32\\regsvr32.exe"=
"d:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\WINDOWS\\system32\\wuauclt.exe"=
"d:\\WINDOWS\\system32\\hkcmd.exe"=
"d:\\WINDOWS\\sttray.exe"=
"d:\\WINDOWS\\system32\\igfxtray.exe"=
"d:\\WINDOWS\\system32\\igfxpers.exe"=
"d:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE"=
"d:\\WINDOWS\\system32\\igfxsrvc.exe"=
"d:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"d:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"d:\\Program Files\\Common Files\\Nero\\Lib\\NeroCheck.exe"=
"d:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\WINDOWS\\system32\\msiexec.exe"=
"d:\\WINDOWS\\system32\\cscript.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1518:TCP"= 1518:TCP:laqvrppt

R3 abp470n5;abp470n5;\??\d:\windows\system32\drivers\jomifn.sys --> d:\windows\system32\drivers\jomifn.sys [?]
S2 hifka;Monitor Windows;d:\windows\system32\svchost.exe -k netsvcs [2006-01-13 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hifka

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{218e72aa-ee17-11dd-8a34-001921442997}]
\shELL\AutOPlay\cOMmaNd - H:\hsgeyo.cmd
\shELL\AutoRun\command - H:\hsgeyo.cmd
\shELL\eXpLorE\CommaNd - H:\hsgeyo.cmd
\shELL\oPeN\commAnd - H:\hsgeyo.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{877b89c8-f161-11dd-8a51-001921442997}]
\Shell\AutoRun\command - H:\dsncb.exe
\Shell\Explore\Command - H:\dsncb.exe
\Shell\Open\Command - H:\dsncb.exe
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Pratima\Application Data\Mozilla\Firefox\Profiles\uybr3wdc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-02-08 21:32:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hifka]
"ServiceDll"="d:\windows\system32\ffofhj.dll"
.
Completion time: 2009-02-08 21:34:32 - machine was rebooted
Ok.

ComboFix-quarantined-files.txt 2009-02-08 21:34:31

Pre-Run: 23,459,414,016 bytes free
Post-Run: 23,473,340,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(4)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(4)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

241

pratima mishra
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-02-04
OS OS : windows XP
Points Points : 28650
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by pratima mishra on 8th February 2009, 4:17 pm

Now what to do?

pratima mishra
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-02-04
OS OS : windows XP
Points Points : 28650
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by Belahzur on 8th February 2009, 4:24 pm

Format.
You have an infection called sality, it's a file infector.
There is nothing we can do now, formatting is the only option.

DO NOT backup any .exe or .scr


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by Doctor Inferno on 6th July 2009, 3:16 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Is it heap41a virus

Post by Doctor Inferno on 6th July 2009, 3:16 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum