hai i found out that my system has been infected with the virus Bloodhound.Packed.JMP. initially once it showed a virus named Gamma.32. but after that no such virus is visible. my antivirus software (Syamntec Corporate Edition) starts not responding once it detects Bloodhound.Packed.JMP. I reinstalled my XP alone after formatting E: in which my XP was installed.....So as mentioned in this forum i used combofix and the log file is
ComboFix 08-04-01.2 - Preeti 2008-04-02 19:58:17.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.103 [GMT 5.5:30]
Running from: E:\Documents and Settings\Preeti\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
D:\Autorun.inf
E:\Autorun.inf
E:\WINDOWS\system32\amvo.exe
E:\WINDOWS\system32\amvo0.dll
E:\WINDOWS\system32\amvo1.dll
F:\Autorun.inf
G:\Autorun.inf
H:\Autorun.inf
I:\Autorun.inf
J:\Autorun.inf
K:\Autorun.inf
L:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.
2008-04-02 19:38 . 2008-04-02 19:38 <DIR> d--hs---- E:\Recycled
2008-04-02 19:25 . 2008-04-02 19:26 <DIR> d-------- E:\Documents and Settings\Preeti\Application Data\Roxio
2008-04-02 19:24 . 2008-04-02 19:24 <DIR> d-------- E:\Program Files\Roxio
2008-04-02 19:24 . 2008-04-02 19:24 <DIR> d-------- E:\Program Files\directx
2008-04-02 19:23 . 2008-04-02 19:23 <DIR> d-------- E:\Program Files\Common Files\Roxio Shared
2008-04-02 19:20 . 2008-04-02 19:20 <DIR> d-------- E:\Program Files\Symantec_Client_Security
2008-04-02 19:20 . 2008-04-02 19:20 <DIR> d-------- E:\Program Files\Symantec
2008-04-02 19:20 . 2008-04-02 19:20 <DIR> d-------- E:\Program Files\Common Files\Symantec Shared
2008-04-02 19:20 . 2008-04-02 19:20 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Symantec
2008-04-02 19:20 . 2008-04-02 19:19 124,167 --a------ E:\WINDOWS\system32\SYMEVNT.386
2008-04-02 19:20 . 2008-04-02 19:19 83,208 --a------ E:\WINDOWS\system32\S32EVNT1.DLL
2008-04-02 19:20 . 2008-04-02 19:19 73,496 --a------ E:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-02 19:19 . 2008-04-02 19:19 <DIR> d-------- E:\Program Files\Common Files\InstallShield
2008-04-02 19:19 . 2008-04-02 19:19 103,182 -r-hs---- E:\mvxm.cmd
2008-04-02 19:18 . 2008-04-02 19:18 13,008 --a------ E:\WINDOWS\system32\wpa.bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 03:18 --------- d-----w E:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="E:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14 1077277]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"RoxioEngineUtility"="E:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"RoxioDragToDisc"="E:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-10-16 20:15 868352]
"RoxioAudioCentral"="E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 12:38 319488]
R2 Pctspk;PCTEL Speaker Phone;E:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;E:\WINDOWS\System32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 20:00:12
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: E:\WINDOWS\system32\winlogon.exe
-> E:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
.
**************************************************************************
.
Completion time: 2008-04-02 20:00:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-02 14:30:36
Pre-Run: 7,881,998,336 bytes free
Post-Run: 7,875,272,704 bytes free
And the Hijackthis log file is.....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:27 PM, on 4/2/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "E:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
--
End of file - 2508 bytes
I am using both windows-98 and windows XP.
Windows -98 is in C: and XP is in E:
Kindly help me in solving this issue.... thanks in advance.....
Full Version: Bloodhound.Packed.JMP
Hello satish,
Welcome to Gladiator Security Forum
An unprotected, unpatched Windows XP installation will get infected within minutes of connecting to the Internet. Because of this, we'll require you to install critical updates (SP1) before providing assistance in our forums. If not, we're both just wasting our time. Also, no promises for 98. It's completely unsupported and very few of our tools work on it any more.
http://www.microsoft.com/downloads/details...e5-023443e29d78
When you're done, please post a new HijackThis log for me to look at.
Thanks,
tea
Welcome to Gladiator Security Forum
An unprotected, unpatched Windows XP installation will get infected within minutes of connecting to the Internet. Because of this, we'll require you to install critical updates (SP1) before providing assistance in our forums. If not, we're both just wasting our time. Also, no promises for 98. It's completely unsupported and very few of our tools work on it any more.
http://www.microsoft.com/downloads/details...e5-023443e29d78
When you're done, please post a new HijackThis log for me to look at.
Thanks,
tea
QUOTE (teacup61 @ Apr 3 2008, 07:35 PM) 
Hello satish,
Welcome to Gladiator Security Forum
An unprotected, unpatched Windows XP installation will get infected within minutes of connecting to the Internet. Because of this, we'll require you to install critical updates (SP1) before providing assistance in our forums. If not, we're both just wasting our time. Also, no promises for 98. It's completely unsupported and very few of our tools work on it any more.
http://www.microsoft.com/downloads/details...e5-023443e29d78
When you're done, please post a new HijackThis log for me to look at.
Thanks,
tea
Welcome to Gladiator Security Forum
An unprotected, unpatched Windows XP installation will get infected within minutes of connecting to the Internet. Because of this, we'll require you to install critical updates (SP1) before providing assistance in our forums. If not, we're both just wasting our time. Also, no promises for 98. It's completely unsupported and very few of our tools work on it any more.
http://www.microsoft.com/downloads/details...e5-023443e29d78
When you're done, please post a new HijackThis log for me to look at.
Thanks,
tea
thanks a lot....
here is my new hijackthis log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:09 AM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\WINDOWS\System32\NMSSvc.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\WINDOWS\System32\igfxtray.exe
E:\WINDOWS\System32\hkcmd.exe
E:\Program Files\DNA\btdna.exe
F:\Program Files\Opera 9\Opera.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - E:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
--
End of file - 2488 bytes
Hello,
You sure don't run much on it huh?
There is nothing bad showing there, for sure....though be careful of the torrent site, as you probably know already. Are your scans coming up clean now? Your version of ComboFix is several days old now. Please delete it and Qoobox. It's been updated several times since you got that version.
Let me know how it's running, and let me know about the 98 machine as well.
Thanks,
tea
You sure don't run much on it huh?
There is nothing bad showing there, for sure....though be careful of the torrent site, as you probably know already. Are your scans coming up clean now? Your version of ComboFix is several days old now. Please delete it and Qoobox. It's been updated several times since you got that version.Let me know how it's running, and let me know about the 98 machine as well.
Thanks,
tea
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.