Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Problem


  • This topic is locked This topic is locked
4 replies to this topic

#1 Sabyasachi

Sabyasachi

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 09 April 2008 - 11:14 AM

Hello,

My laptop was infected with some spyware/malware like W32.IRCBot and IRC.backdoor.trojan etc. So i have scaned using Combofix. The virus is cleaned but facing problem like clock setting changed to 24 hr format and autorun and autoplay is not working while inserting any device using USB port.

I have fixed the clock setting manualy but not able to fix the autorun problem.

Sendning you the ComboFix logs pl have a look.

Appreciate any help.

ComboFix 08-04-07.5 - samalsab 2008-04-08 19:29:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.532 [GMT 5.5:30]
Running from: G:\Sabyasachi\Software\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Application Data\ShoppingReport
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\res1\WhiteList.dbs

----- BITS: Possible infected sites -----

hxxp://orissa
.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-08 19:13 . 2008-04-08 19:13 <DIR> d-------- C:\Program Files\PrevxCSI
2008-04-08 19:13 . 2008-04-08 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-08 19:13 . 2008-04-08 19:23 10,880 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-04-05 20:57 . 2008-04-05 20:57 <DIR> d-------- C:\Documents and Settings\samalsab\Application Data\Oxford
2008-04-05 20:56 . 2008-04-05 20:56 <DIR> d-------- C:\Program Files\TEXTware
2008-04-05 20:56 . 2008-04-05 20:56 <DIR> d-------- C:\Program Files\Oxford
2008-04-05 17:03 . 2008-04-05 17:03 <DIR> d-------- C:\Program Files\Photo Story 3 for Windows
2008-04-03 14:44 . 2008-04-03 14:44 <DIR> d-------- C:\Program Files\Notepad++
2008-04-03 14:44 . 2008-04-03 14:47 <DIR> d-------- C:\Documents and Settings\samalsab\Application Data\Notepad++
2008-04-03 11:27 . 2008-04-03 11:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-03 11:27 . 2008-04-03 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-03 11:11 . 2008-04-03 11:11 4,862 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 19:05 . 2006-11-28 20:46 27,072 --------- C:\WINDOWS\system32\drivers\PCASp50.sys
2008-04-02 19:04 . 2006-11-22 10:01 693,760 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2008-04-02 19:04 . 2008-04-02 19:04 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2008-04-02 19:04 . 2008-04-02 19:04 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll
2008-04-02 19:04 . 2007-11-08 12:04 2,577 --a------ C:\WINDOWS\system32\config.hsp
2008-04-02 19:04 . 2008-04-02 19:04 383 --a------ C:\WINDOWS\system32\haspdos.sys
2008-04-02 19:03 . 2008-04-02 19:03 <DIR> d-------- C:\Program Files\Nethawk
2008-04-02 19:03 . 2008-04-02 19:03 <DIR> d-------- C:\Documents and Settings\samalsab\Application Data\InstallShield
2008-04-02 15:15 . 2008-04-02 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ten Thumbs Typing Tutor
2008-04-02 15:08 . 2008-04-02 15:08 <DIR> d-------- C:\Program Files\Ten Thumbs Typing Tutor 4.7
2008-03-31 17:30 . 2008-04-08 16:04 <DIR> d-------- C:\Documents and Settings\samalsab\Application Data\skypePM
2008-03-31 17:30 . 2008-03-31 17:30 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-31 17:29 . 2008-03-31 17:29 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-29 15:02 . 2008-03-29 15:02 85 --a------ C:\WINDOWS\system32\remote.ini
2008-03-29 14:47 . 2008-03-29 09:27 102,574 --a------ C:\WINDOWS\system32\h1dez.exe
2008-03-29 14:47 . 2004-01-26 01:40 40,960 --a------ C:\WINDOWS\system32\edih.dll
2008-03-29 14:47 . 2008-03-29 07:46 17,249 --a------ C:\WINDOWS\system32\mconfg.dll
2008-03-29 14:47 . 2008-03-16 07:41 16,992 --a------ C:\WINDOWS\system32\mcmd.dll
2008-03-29 14:47 . 2008-03-29 09:34 12,427 --a------ C:\WINDOWS\system32\mcrss.dll
2008-03-29 14:47 . 2008-03-16 08:17 2,625 --a------ C:\WINDOWS\system32\ms32.sys
2008-03-29 14:47 . 2008-02-09 14:51 191 --a------ C:\WINDOWS\system32\poiyu
2008-03-28 21:47 . 2008-03-28 21:48 <DIR> d-------- C:\WINDOWS\system32\dk
2008-03-25 13:01 . 2008-03-25 13:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-21 15:43 . 2008-03-21 15:43 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-03-21 15:13 . 2008-03-21 15:13 <DIR> d-------- C:\Documents and Settings\samalsab\Application Data\Nero
2008-03-21 15:09 . 2008-03-21 15:09 <DIR> d-------- C:\Program Files\Nero
2008-03-21 15:09 . 2008-03-21 15:12 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-21 15:09 . 2008-03-21 15:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-21 14:48 . 2008-03-21 14:48 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-21 14:48 . 2008-03-21 14:48 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-21 14:48 . 2008-03-21 14:48 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-21 14:48 . 2008-03-21 14:48 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-21 14:47 . 2008-04-08 12:03 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-03-19 17:25 . 2008-03-19 17:25 0 --a------ C:\WINDOWS\wordsearch.INI
2008-03-16 13:09 . 2008-03-16 13:09 <DIR> d-------- C:\Program Files\Xvid
2008-03-16 13:09 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-16 13:09 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-03-16 13:09 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-03-15 23:40 . 2008-04-06 23:07 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-13 12:32 . 2005-03-01 19:49 2,041,904 --a------ C:\WINDOWS\system32\drivers\fw.sys
2008-03-13 12:32 . 2005-03-01 19:49 106,591 --a------ C:\WINDOWS\system32\fwnetcfg.dll
2008-03-13 12:32 . 2005-03-01 19:49 14,924 --a------ C:\WINDOWS\system32\drivers\OMVA.sys
2008-03-13 12:31 . 2005-03-01 19:49 670,128 --a------ C:\WINDOWS\system32\drivers\vpn.sys
2008-03-13 12:31 . 2005-03-01 19:49 32,866 --a------ C:\WINDOWS\system32\ckpginashim.dll
2008-03-13 12:31 . 2005-03-01 19:49 24,672 --a------ C:\WINDOWS\system32\ckpNotify.dll
2008-03-13 12:31 . 2005-03-01 19:49 17,456 --a------ C:\WINDOWS\system32\drivers\scap.sys
2008-03-13 12:24 . 2005-03-01 19:48 69,632 --------- C:\WINDOWS\erase_SR.exe
2008-03-13 12:19 . 2005-03-01 19:49 2,516 --a------ C:\WINDOWS\system32\drivers\default.bin.old
2008-03-13 12:19 . 2005-03-01 19:49 2,516 --a------ C:\WINDOWS\system32\default.bin.old
2008-03-13 12:18 . 2005-03-01 19:49 4,133 --a------ C:\WINDOWS\entrust.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 13:51 --------- d-----w C:\Documents and Settings\samalsab\Application Data\Skype
2008-04-05 19:15 --------- d-----w C:\Documents and Settings\samalsab\Application Data\Metacafe
2008-04-03 05:53 --------- d-----w C:\Documents and Settings\samalsab\Application Data\Yahoo!
2008-04-03 05:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-03 05:52 --------- d-----w C:\Program Files\Yahoo!
2008-04-02 13:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 07:33 --------- d-----w C:\Program Files\Wireshark
2008-04-01 09:20 --------- d-----w C:\Documents and Settings\samalsab\Application Data\ICAClient
2008-03-31 08:11 --------- d-----w C:\Documents and Settings\samalsab\Application Data\webex
2008-03-21 09:26 --------- d-----w C:\Program Files\Ahead
2008-03-21 09:18 --------- d-----w C:\Program Files\Symantec
2008-03-21 09:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-21 09:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-13 07:01 --------- d-----w C:\Program Files\CheckPoint
2008-02-28 12:08 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-02-27 05:32 --------- d-----w C:\Program Files\WinMerge
2008-02-26 10:44 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2008-02-18 10:51 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2008-02-18 10:51 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2008-02-18 10:34 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2008-02-08 09:49 --------- d-----w C:\Program Files\RealVNC
2008-01-28 17:23 202,827 ----a-w C:\WINDOWS\system32\atasnt40.dll
2008-01-12 17:41 107,132 ----a-w C:\WINDOWS\UninstallFirefox.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-19 09:53 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 17:30 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 17:30 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 17:30 455168]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41 860160]
"AGRSMMSG"="AGRSMMSG.exe" [2005-11-16 14:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\bcmntray" [ ]
"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.exe" [2006-06-08 14:02 131072]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 09:47 159744]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-19 16:26 101144]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-19 16:26 84760]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-19 16:26 125720]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 16:47 184320]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-21 00:11 33792]
"CDMA1X CARD"="C:\Program Files\ZTE CDMA1X CARD\Startup.exe" [2006-10-20 17:52 286801]
"Venturi Configurator"="C:\Program Files\Venturi Client\Configurator\ventcfg.exe" [2006-09-15 14:04 919176]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31 36975]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49 125632]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 15:14:00 561213]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2007-11-08 12:46:39 184320]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-11-13 11:30:36 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 19:49 24672 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614688132-1320505354-996637233-12091\Scripts\Logon\0\0]
"Script"=IndiaUserLogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=
"E:\\NetHawk_EAST_IMS\\2.0.1_U1.0\\bin\\EventServer.exe"=
"E:\\NetHawk_EAST_IMS\\2.0.1_U1.0\\bin\\tcpserver.exe"=
"C:\\Program Files\\Nethawk\\M5 v2.0\\M5.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-04-08 19:23]
R2 CSIScanner;CSIScanner;"C:\Program Files\PrevxCSI\\PrevxCSI.exe" /service []
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2005-03-01 19:49]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-03-01 19:49]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-03-01 19:49]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 11:46]
R3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-11-28 20:46]
S1 oxser;OX16C95x Serial port driver;C:\WINDOWS\system32\DRIVERS\oxser.sys [2005-05-23 09:35]
S2 VenturiClient;Venturi Client;C:\Program Files\Venturi Client\Client\ventc.exe [2006-09-15 14:06]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2005-03-01 19:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68aa3a62-ec2a-11dc-9f36-001279c2d259}]
\Shell\Autoplay\Command - smss.exe
\Shell\AutoRun\command - smss.exe
\Shell\Explore\Command - smss.exe
\Shell\Open\Command - smss.exe

*Newly Created Service* - CSISCANNER
*Newly Created Service* - PXARK

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAX5-81C01C608512}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 19:31:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-08 19:32:30
ComboFix-quarantined-files.txt 2008-04-08 14:02:12
Pre-Run: 11,016,556,544 bytes free
Post-Run: 11,008,700,416 bytes free
.
2008-03-31 04:33:52 --- E O F ---


Regards,
Sabyasachi

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:26 PM

Posted 14 April 2008 - 08:00 AM

Hello Sabyasachi and welcome to BleepingComputer,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/140882/combofix-problem/
Collect::[9]
C:\WINDOWS\system32\h1dez.exe
C:\WINDOWS\system32\edih.dll
C:\WINDOWS\system32\mconfg.dll
C:\WINDOWS\system32\mcmd.dll
C:\WINDOWS\system32\mcrss.dll
C:\WINDOWS\system32\ms32.sys
C:\WINDOWS\system32\poiyu

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.
Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Keep in mind ComboFix resets clock settings to standard, and disables autorun for safety reasons.
You can change these settings manually once your system is clean again.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Sabyasachi

Sabyasachi
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 21 April 2008 - 01:03 PM

Hello,

Thanx for the reply.

Actually i have scaned using combofix. Now the virus is cleared but autorun is not working for CD and also for other external removable device.

Please suggest how to enable autorun.

Regards,
Sabyasachi

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:26 PM

Posted 21 April 2008 - 01:21 PM

Hello Sabyasachi,

Can you please post the logs I've asked for,
so I can check that all visible malware is gone. :thumbsup:

Don't worry about your settings,
we'll fix that once we're all done.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:26 PM

Posted 19 May 2008 - 07:36 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users