Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.autorun.f


  • Please log in to reply
2 replies to this topic

#1 mobeen

mobeen

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 February 2008 - 08:49 PM

Hi all,
On my windows, I have different folders created but each has desktop.ini created on the fly. And come of my folders are now not accessible. so I thought there might be some virus working underneath. I m using windows vista. Symantec antivirus and windows live one care scans say there aint any virus on my machine but Kaspersky scan says there is a virus. So I went through with combofix and hijackthis and this is what they have to say. I am also attaching the Kaspersky scan log for experts. What should I do? I have already uninstalled symantec antivirus cos it was slowing up the pc too much and nothing was running. Please help.

THanks
MMM
///////////////////////////////////////////////////////////////////////////////////////////////////////
ComboFix 08-02-16.2 - Mobeen 2008-02-16 9:03:31.1 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.296 [GMT 8:00]
Running from: C:\Users\Mobeen\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\koos.exe
C:\Windows\system32\kprof
C:\Windows\system32\poof

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IDSVIX86


((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 01:07 --------- d---a-w C:\PROGRA~2\TEMP
2008-02-16 00:52 --------- d-----w C:\Program Files\EsetOnlineScanner
2008-02-15 17:16 --------- d-----w C:\Program Files\Empty Temp Folders 2.8.3
2008-02-15 15:02 --------- d-----w C:\PROGRA~2\Kaspersky Lab
2008-02-15 14:17 --------- d-----w C:\Users\Mobeen\AppData\Roaming\Skype
2008-02-14 17:07 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2008-02-14 16:57 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-02-13 16:55 --------- d-----w C:\Program Files\AMD
2008-02-13 14:52 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-13 14:49 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-13 14:49 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-13 14:49 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-13 14:49 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-13 14:49 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-13 14:49 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-13 14:49 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-13 14:44 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-13 14:44 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-13 14:44 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 14:44 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-13 14:44 110,136 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-13 14:43 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 14:43 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-13 14:42 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 14:42 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 14:42 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 14:42 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 14:39 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 04:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-13 04:27 --------- d-----w C:\PROGRA~2\Symantec
2008-02-13 04:26 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-02-13 04:26 8,014 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-02-13 04:26 109,744 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-02-13 04:26 --------- d-----w C:\Program Files\Symantec
2008-02-13 04:25 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-10 12:55 --------- d-----w C:\Users\Mobeen\AppData\Roaming\OpenOffice.org2
2008-02-10 07:20 --------- d-----w C:\Program Files\QuickTime
2008-02-09 15:20 --------- d-----w C:\PROGRA~2\Apple Computer
2008-02-08 12:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 12:56 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-07 10:43 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-02-07 10:38 --------- d-----w C:\Program Files\Microsoft XNA
2008-02-07 09:56 --------- d-----w C:\Program Files\Windows Mail
2008-02-07 09:51 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-07 09:51 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-02-07 09:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-01 15:45 --------- d-----w C:\Users\Mobeen\AppData\Roaming\MathWorks
2008-02-01 15:12 --------- d-----w C:\Program Files\MATLAB
2008-02-01 15:00 --------- d-----w C:\Users\Mobeen\AppData\Roaming\DAEMON Tools
2008-02-01 15:00 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-02-01 14:55 716,272 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-01-30 14:53 296,960 ----a-w C:\Windows\winhlp32.exe
2008-01-27 07:17 --------- d-----w C:\Program Files\Image-Line
2008-01-26 06:28 --------- d-----w C:\PROGRA~2\ATI
2008-01-26 06:17 --------- d-----w C:\Program Files\ATI Technologies
2008-01-23 14:53 --------- d-----w C:\Users\Mobeen\AppData\Roaming\Helios
2008-01-23 14:49 --------- d-----w C:\Program Files\TextPad 5
2008-01-23 14:22 --------- d-----w C:\Program Files\Tcl
2008-01-23 14:17 --------- d-----w C:\Program Files\vtk42
2008-01-23 13:38 --------- d-----w C:\Program Files\Google
2008-01-20 12:58 --------- d-----w C:\PROGRA~2\Autodesk
2008-01-20 12:36 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-20 12:36 --------- d-----w C:\Program Files\Autodesk
2008-01-19 13:06 --------- d-----w C:\Users\Mobeen\AppData\Roaming\DivX
2008-01-15 12:30 --------- d-----w C:\Users\Mobeen\AppData\Roaming\LowRateVoip
2008-01-10 03:15 --------- d-----w C:\Program Files\Windows Sidebar
2007-12-31 15:53 --------- d-----w C:\Users\Mobeen\AppData\Roaming\CgEddie
2007-12-31 15:46 --------- d-----w C:\Program Files\Common Files\CgLabsSetup
2007-12-31 10:07 --------- d-----w C:\Users\Mobeen\AppData\Roaming\FileZilla
2007-12-31 10:04 --------- d-----w C:\Program Files\LizardTech
2007-12-24 06:16 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-21 03:55 3,478,528 ----a-w C:\Windows\system32\drivers\atikmdag.sys
2007-12-21 02:09 49,152 ----a-w C:\Windows\system32\drivers\ati2erec.dll
2007-12-16 09:35 --------- d-----w C:\Program Files\Java
2007-12-16 09:33 --------- d-----w C:\Program Files\Common Files\Java
2007-12-08 13:19 2,923,520 ----a-w C:\Windows\explorer.exe
2007-10-08 02:41 60,968 ----a-w C:\Users\Mobeen\GoToAssistDownloadHelper.exe
2007-08-18 18:04 0 ----a-w C:\Users\Mobeen\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 20:34 2159104 C:\Windows\System32\oobefldr.dll]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-16 12:42 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-21 01:51 815104]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 10:51 303104 C:\Windows\sttray.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 17:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 06:34 134808]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-01-22 19:43 67112]

C:\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-08-16 05:09:40 50688]

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 23:23]
R1 REDIRECTOR;REDIRECTOR;C:\Windows\system32\REDIRECTOR.SYS [2005-07-13 11:40]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-12 07:10]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-21 11:55]
R3 DCamUSBTP10;Qmax Webcam;C:\Windows\system32\Drivers\TD0608.sys [2006-11-21 15:35]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-21 11:55]
S4 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 20:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c47b99d-d0d6-11dc-b5b9-001c2381fb44}]
\shell\AutoRun\command - F:\win32/setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d73011e-53dc-11dc-9e2a-001c2381fb44}]
\shell\Auto\command - oxbvpen.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL oxbvpen.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14457f5-a073-11dc-bfa5-001c2381fb44}]
\shell\Auto\command - F:\oxbvpen.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\oxbvpen.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 01:17:00 C:\Windows\Tasks\User_Feed_Synchronization-{ECE82C6B-A0A7-4C93-A4CA-E966DEA34EA8}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 09:13:39
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
.
**************************************************************************
.
Completion time: 2008-02-16 9:19:58 - machine was rebooted [Mobeen]
ComboFix-quarantined-files.txt 2008-02-16 01:19:51
.
2008-02-13 15:21:24 --- E O F ---

////////////////////////////////////////////////
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:28 AM, on 16/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\explorer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DAP\DAP.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Softwares\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntu.edu.sg/publicportal/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5189 bytes

/////////////////////////////////// Kaspersky AV log //////////////////////////////////////////
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 16, 2008 7:18:38 AM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/02/2008
Kaspersky Anti-Virus database records: 567764


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 258383
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 03:52:28

Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\prov.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\SubInfo.xml Object is locked skipped
C:\ProgramData\Microsoft\OneCare Protection\Support\MPLog-02152008-005724.log Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C0C0000\4FBE633C.VBN Infected: Virus.Win32.AutoRun.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Mobeen\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Mobeen\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Mobeen\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008021620080217\index.dat Object is locked skipped
C:\Users\Mobeen\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Mobeen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Mobeen\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Mobeen\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped C:\Users\Mobeen\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Mobeen\AppData\Local\Microsoft\Windows\UsrClass.dat{3441c888-4c90-11dc-983c-001c2381fb44}.TM.blf Object is locked skipped
C:\Users\Mobeen\AppData\Local\Microsoft\Windows\UsrClass.dat{3441c888-4c90-11dc-983c-001c2381fb44}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Mobeen\AppData\Local\Microsoft\Windows\UsrClass.dat{3441c888-4c90-11dc-983c-001c2381fb44}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Mobeen\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Mobeen\NTUSER.DAT Object is locked skipped
C:\Users\Mobeen\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Mobeen\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Mobeen\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Users\Mobeen\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Mobeen\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked kipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked kipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked kipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\ACEEventLog.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Broadcom Wireless LAN.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\MSFWSVC.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Windows OneCare.evtx Object is locked skipped
Scan process completed.

BC AdBot (Login to Remove)

 


#2 mobeen

mobeen
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 15 February 2008 - 11:41 PM

Do these logs make sense to anyone??? PLease help

#3 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:14 AM

Posted 29 February 2008 - 12:44 AM

Hello mobeen and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. Running ComboFix without guided help is not suggested as you can seriously harm your pc if you use this tool incorrectly.

If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users