worm.autorun and hijack.shell keeps on reappearing

[sojanponnoly]

Many programs keep popping up during operation of the system(Ex yahooo msn,gtalk,etc)

 

 

IObit Security 360

 

OS:Windows XP

Version:0.4.0.20

Define Version:1123

Time Elapsed:02/10/2009 14:03:56

Objects Scanned:70687

Threats Found:3

 

|Name|Type|Description|ID|

Hijack.Shell, Registry Data, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Value=Shell, 6-585

Worm.AutoRun, File, C:\WINDOWS\system32\macfee_.exe, 4-10742

Worm.AutoRun, File, C:\WINDOWS\macfee_.exe, 4-19250

[333halfevil]

Hi there. Can you please do the following. And remember do NOT delete anything.

 

Run Hijack Scan and save a log. Once a log file is saved to your desktop, please attach it to or paste it in this thread.

http://img30.imageshack.us/img30/7895/74140502.png

[sojanponnoly]

Hijack scan log

 

Thanks for replying ...i would also like to tell you that duplication of all the folders have occured in most of the drives ....i have been scanning all the drives for the past 2 days & removing all the threats using IObit Security 360.......since the log is very lenghty , i have submitted it in 2 posts ...1st one is stated below ...

 

 

Logfile of IObit HijackScan v0.2.2.0

Scan saved at 2:30:21, on 2009-10-4

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG\AVG8\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LAN Voice Chat\Speechs.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\VM303_STI.EXE

C:\Program Files\Sony\SONICS~1\SsAAD.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\AVG\AVG8\avgemc.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Documents and Settings\sojan\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Documents and Settings\sojan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\sojan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\sojan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\sojan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\sojan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

[sojanponnoly]

2nd part

 

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll

O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\RunOnce\: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [bigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}LegitCheckControl.LegitCheck.1 - http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}YInstHelper.YInstStarter.1 - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166}Microsoft.wlsc.wlscInstall.1 - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_13 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}Java Plug-in 1.6.0_13 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_13 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

O23 - Service: Autodesk Licensing Service (Autodesk Licensing Service) - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown - .dll

O23 - Service: Diskeeper (Diskeeper) - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MSCSPTISRV (MSCSPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR (PACSPTISVR) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: ServiceLayer (ServiceLayer) - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Glasovne poruke (Speechsrv) - Unknown - C:\Program Files\LAN Voice Chat\Speechs.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Symantec Core LC (Symantec Core LC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

[enoskype]

Hi sojan,

 

Although it may be related to your camera for uninstalling reasons:

Important: Some malware camouflage themselves as regshave.exe, particularly if they are located in C:\windows or C:\windows\system32 folder.

It doesn't need to be in startup.

 

-Upload and check regshave.exe file in VirusTotal .

And, also C:\WINDOWS\VM303_STI.EXE please.

 

-Update your Adobe from 8.0 to 9.1.3

 

Update your Java from 1.6.0_13 to 1.6.0_16

 

Both of those old versions had vulnarabilities.

 

Which net-connect software are you using from Symantec?

 

You have other unneeded software running in startup also.

 

Cheers.

[sojanponnoly]

Thanks for the reply....u guys are amazing ...replying to everyone's problems...i have started using PC recently ...so am slow at understanding stuff....but i appreciate your efforts ...:)...thanks ....i ahve checked the above mentioned files in Virus total &

the report is pasted below:

 

File REGSHAVE.EXE received on 2009.09.29 15:15:06 (UTC)

Current status: finished

Result: 0/40 (0.00%)

Compact

Print results

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.09.29 -

AhnLab-V3 5.0.0.2 2009.09.29 -

AntiVir 7.9.1.27 2009.09.29 -

Antiy-AVL 2.0.3.7 2009.09.29 -

Authentium 5.1.2.4 2009.09.29 -

Avast 4.8.1351.0 2009.09.28 -

AVG 8.5.0.412 2009.09.29 -

BitDefender 7.2 2009.09.29 -

CAT-QuickHeal 10.00 2009.09.29 -

ClamAV 0.94.1 2009.09.29 -

Comodo 2469 2009.09.29 -

DrWeb 5.0.0.12182 2009.09.29 -

eSafe 7.0.17.0 2009.09.29 -

eTrust-Vet 31.6.6768 2009.09.29 -

F-Prot 4.5.1.85 2009.09.29 -

F-Secure 8.0.14470.0 2009.09.29 -

Fortinet 3.120.0.0 2009.09.29 -

GData 19 2009.09.29 -

Ikarus T3.1.1.72.0 2009.09.29 -

Jiangmin 11.0.800 2009.09.27 -

K7AntiVirus 7.10.856 2009.09.29 -

Kaspersky 7.0.0.125 2009.09.29 -

McAfee 5755 2009.09.28 -

McAfee+Artemis 5755 2009.09.28 -

McAfee-GW-Edition 6.8.5 2009.09.29 -

Microsoft 1.5005 2009.09.23 -

NOD32 4467 2009.09.29 -

Norman 6.01.09 2009.09.29 -

nProtect 2009.1.8.0 2009.09.29 -

Panda 10.0.2.2 2009.09.28 -

PCTools 4.4.2.0 2009.09.29 -

Rising 21.49.14.00 2009.09.29 -

Sophos 4.45.0 2009.09.29 -

Sunbelt 3.2.1858.2 2009.09.29 -

Symantec 1.4.4.12 2009.09.29 -

TheHacker 6.5.0.2.021 2009.09.28 -

TrendMicro 8.500.0.1002 2009.09.29 -

VBA32 3.12.10.11 2009.09.29 -

ViRobot 2009.9.29.1963 2009.09.29 -

VirusBuster 4.6.5.0 2009.09.29 -

Additional information

File size: 53248 bytes

MD5 : 552e9ca7b91120fb7d49cd5c10018dc3

SHA1 : 8721197a942f6dcd274814687c20fd1a047e667d

SHA256: 106eb5c456eed3752932de881448b83530dff8c9d2c827e25d6cdc13bab60184

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x69B0

timedatestamp.....: 0x3C5E8D59 (Mon Feb 4 14:32:09 2002)

machinetype.......: 0x14C (Intel I386)

 

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x5D32 0x6000 6.14 288205225d54a7d1f95781b90e63f2ba

.rdata 0x7000 0x1156 0x2000 3.23 2f41ef9ef35067fb135e54373e9216a2

.data 0x9000 0x16F8 0x2000 3.87 3bd1f418ca64e80795b9d934f8495a56

.rsrc 0xB000 0x1ED8 0x2000 3.53 342d087b47fc83184db93031545db642

 

( 0 imports )

 

 

( 0 exports )

TrID : File type identification

Win32 Executable MS Visual C++ (generic) (65.2%)

Win32 Executable Generic (14.7%)

Win32 Dynamic Link Library (generic) (13.1%)

Generic Win/DOS Executable (3.4%)

DOS Executable Generic (3.4%)

ThreatExpert: http://www.threatexpert.com/report.aspx?md5=552e9ca7b91120fb7d49cd5c10018dc3

ssdeep: 768:GUlvODrrwbdMJTotb5trFtFOC2Urf9iS1lUt:92jsuJTotbXrFtyUr1iS1+

PEiD : Armadillo v1.71

CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=552e9ca7b91120fb7d49cd5c10018dc3

RDS : NSRL Reference Data Set

 

 

 

MD5: 59c21f2e20088038544c04beacb8ba10

First received: 2009.02.15 15:51:44 UTC

Date: 2009.09.24 13:46:38 UTC [>9D]

Results: 0/41

Permalink: analisis/f6e041a0165d58f7df32a82a444eedf8af5a0cb219cbfcc915769cea48daa3a9-1253799998