Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan that I can not get rid of.


  • This topic is locked This topic is locked
8 replies to this topic

#1 Krumthi

Krumthi

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 09 February 2009 - 03:49 PM

Here is the DDS log list for this problem. From what it seems Norton keeps calling this dll a Virus/Trojan. The system is used a lot and the torjan needs to come off asap. I have tried unregestering the DLL and deleteing it but it will not. I have tried going into safe mode and deleting it but it won't. I have tried running Hijack this ( got log too if need ) and no help. I am beginging to run out of idea's can someone please help!
Thanks

Windows XP SP2 1gig of ram.

DDS (Ver_09-02-01.01) - NTFSx86
Run by MCRguest at 14:38:08.42 on 02/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1489 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Insight\Tools\aiclient.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\RAdmin\r_server.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\IBM\Director\bin\twgipcsv.exe
C:\Program Files\IBM\Director\bin\twgipc.exe
C:\Program Files\IBM\Director\cimom\bin\wmicimserver.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\IBM\Director\bin\twgescli.exe
C:\Program Files\IBM\Director\bin\twgmonit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\iprntctl.exe
C:\Program Files\MediaTracker\MediaTracker.exe
C:\Program Files\Insight\Tools\AISOFTMN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
F:\Work\anti-virus & Removers\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by SENAD
uStart Page = hxxp://intranet.us.schneider-electric.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://intranet.us.schneider-electric.com
uSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: System=ziswin.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {b8a493e9-c3c3-4cad-8e48-0d8b5048dda2} - c:\windows\system32\dpwsockq.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NDPS] c:\windows\system32\dpmw32.exe
mRun: [RightFAX Print-to-Fax Driver] c:\program files\rightfax\\FaxCtrl.exe
mRun: [eCopy Desktop Printer Service] c:\progra~1\ecopy\desktop\pclprint\mrmlnc32.exe
mRun: [eCopy Desktop Inbox Monitor] c:\progra~1\ecopy\desktop\bin\INBOXM~1.EXE -run
mRun: [SENAPCSecurity] c:\progra~1\ibm\director\SENADIR42.EXE
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [USBToolTip] "c:\program files\pinnacle\shared files\programs\usbtip\USBTip.exe"
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [MediaTracker] c:\program files\mediatracker\\MediaTracker.exe /I
mRun: [nwiz] nwiz.exe /install
mRun: [Asset Insight SUM] c:\program files\insight\tools\AISOFTMN.EXE -B
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\PkgMgr.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: myEXTRA! 3270 Terminal (SSL) - hxxp://157.198.21.68/mcs/components/terminal3270/JavaClient/mainframe/3270TerminalSecure.cab
DPF: myEXTRA! English Support - hxxp://157.198.21.68/mcs/components/terminal3270/JavaClient/mainframe/en/Viewers_En.cab
DPF: myEXTRA! Terminal Feature Support - hxxp://157.198.21.68/mcs/components/terminal3270/JavaClient/ViewerFeatures.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164839129296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Pepsi/Coupons.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D09FD7B8-ED84-11D5-B755-00001C3AC034} - hxxp://cvgna06.us.schneider-electric.com/30/EtQOfficeInt.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll
LSA: Authentication Packages = msv1_0 nwv1_0
LSA: Notification Packages = scecli pwdmon

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-4-27 6912]
R0 sdqehbpr;sdqehbpr;c:\windows\system32\drivers\sdqehbpr.sys [1979-12-31 23424]
R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [2002-12-3 35302]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2006-11-30 34671]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-5-23 6899]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 gpib420;GPIB Analyzer;c:\windows\system32\drivers\gpib420.sys [2005-7-18 31334]
R2 GpibPrtK;Gpib Port;c:\windows\system32\drivers\GpibPrtK.sys [2005-7-18 199783]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-4-27 63616]
R2 r_server;Remote Administrator Service;c:\program files\radmin\r_server.exe [2001-7-24 241664]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2005-7-11 163840]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 TWGIPC;IBM Director Support Program;c:\program files\ibm\director\bin\twgipcsv.exe [2004-10-5 53327]
R2 TWGSYSIN;TWGSYSIN;c:\windows\system32\drivers\twgsysin.sys [2004-10-5 7476]
R2 wmicimserver;IBM Director Agent WMI CIM Server;c:\program files\ibm\director\cimom\bin\wmicimserver.exe [2004-7-14 401408]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2005-1-10 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-5-23 2773]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-11-17 9817]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-11 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090208.016\naveng.sys [2009-2-8 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090208.016\navex15.sys [2009-2-8 876112]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-11-17 117760]
S3 nipalusb;NI-PAL USB Driver;c:\windows\system32\drivers\nipalusb.sys [2005-7-15 91746]

=============== Created Last 30 ================

2009-02-03 15:00 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2008-12-12 08:53 79,631,698 a------- C:\registry_complete.reg

============= FINISH: 14:38:40.90 ===============

Attached Files


Edited by Krumthi, 09 February 2009 - 04:17 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 10 February 2009 - 01:55 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Krumthi

Krumthi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 10 February 2009 - 12:15 PM

ComboFix Log. here is the log from Combofix that i have ran this morning on the infected computer

ComboFix 09-02-08.02 - MCRguest 2009-02-10 10:27:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1476 [GMT -6:00]
Running from: c:\documents and settings\MCRGUEST\Desktop\ComboFix1.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\fad.sys

----- BITS: Possible infected sites -----

hxxp://senaupdate.us.schneider-electric.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_R_SERVER
-------\Service_r_server


((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-04 15:22 . 2009-02-04 15:22 <DIR> d-------- c:\documents and settings\MCS021

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 16:33 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-08 22:05 --------- d-----w c:\program files\Insight
2009-02-04 21:49 --------- d-----w c:\program files\MP2ACC2000
2009-01-08 21:43 --------- d-----w c:\program files\CCleaner
2008-12-12 14:53 79,631,698 ----a-w C:\registry_complete.reg
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2003-05-01 15:36 114,688 ----a-w c:\program files\internet explorer\plugins\LV7ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8A493E9-C3C3-4CAD-8E48-0D8B5048DDA2}]
2004-08-04 02:00 99840 --a------ c:\windows\system32\dpwsockq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-15 4616192]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\\FaxCtrl.exe" [2004-05-20 110592]
"eCopy Desktop Printer Service"="c:\progra~1\eCopy\Desktop\PCLprint\mrmlnc32.exe" [2004-11-19 86103]
"eCopy Desktop Inbox Monitor"="c:\progra~1\eCopy\Desktop\Bin\INBOXM~1.EXE" [2004-11-19 34816]
"SENAPCSecurity"="c:\progra~1\IBM\DIRECTOR\SENADIR42.EXE" [2005-02-22 491054]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-01 98304]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2005-06-13 192512]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2005-10-24 40960]
"MediaTracker"="c:\program files\MediaTracker\\MediaTracker.exe" [2006-12-12 1220608]
"Asset Insight SUM"="c:\program files\Insight\Tools\AISOFTMN.EXE" [2002-04-23 8091]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]
"nwiz"="nwiz.exe" [2004-11-15 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2005-08-04 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2005-01-10 12:36 24576 c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:UDP"= 4899:UDP:RAdmin
"4899:TCP"= 4899:TCP:RAdmin

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-04-27 6912]
R0 sdqehbpr;sdqehbpr;c:\windows\system32\drivers\sdqehbpr.sys [1979-12-31 23424]
R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [2002-12-03 35302]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2006-11-30 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-05-23 6899]
R2 gpib420;GPIB Analyzer;c:\windows\system32\drivers\gpib420.sys [2005-07-18 31334]
R2 GpibPrtK;Gpib Port;c:\windows\system32\drivers\GpibPrtK.sys [2005-07-18 199783]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-04-27 63616]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2005-07-11 163840]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-06-15 115952]
R2 TWGIPC;IBM Director Support Program;c:\program files\IBM\Director\bin\twgipcsv.exe [2004-10-05 53327]
R2 TWGSYSIN;TWGSYSIN;c:\windows\system32\drivers\twgsysin.sys [2004-10-05 7476]
R2 wmicimserver;IBM Director Agent WMI CIM Server;c:\program files\IBM\Director\cimom\bin\wmicimserver.exe [2004-07-14 401408]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2005-01-10 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-05-23 2773]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-11-17 9817]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-11 99376]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-11-17 117760]
S3 nipalusb;NI-PAL USB Driver;c:\windows\system32\drivers\nipalusb.sys [2005-07-15 91746]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NIPALK

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29fb923c-0afa-11dd-a6f5-444553544200}]
\Shell\AutoRun\command - f:\bin\DX8000V.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f9d53e4-8147-11db-a690-806d6172696f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fa1d508-afd2-11db-a69f-444553544200}]
\Shell\AutoRun\command - e:\bin\DX8000V.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cc8b222-e9e7-11db-a6b1-444553544200}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf61193e-5632-11dc-a6cc-444553544200}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.us.schneider-electric.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: myEXTRA! 3270 Terminal (SSL) - hxxp://157.198.21.68/mcs/components/terminal3270/JavaClient/mainframe/3270TerminalSecure.cab
DPF: myEXTRA! English Support - hxxp://157.198.21.68/mcs/components/terminal3270/JavaClient/mainframe/en/Viewers_En.cab
DPF: myEXTRA! Terminal Feature Support - hxxp://157.198.21.68/mcs/components/terminal3270/JavaClient/ViewerFeatures.cab
DPF: {D09FD7B8-ED84-11D5-B755-00001C3AC034} - hxxp://cvgna06.us.schneider-electric.com/30/EtQOfficeInt.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 10:58:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,ad,2a,cb,1e,95,
bd,5c,62,c8,28,51,af,b0,29,a3,98,c6,16,17,2b,fc,81,7b,dd,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,96,94,56,d1,e3,
77,fd,8c,71,3b,04,66,8b,46,0d,96,06,6b,d0,1f,17,4f,87,20,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,62,54,ca,e7,fc,
36,e6,9d,25,da,ec,7e,55,20,c9,26,59,01,c9,16,85,ce,21,d5,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,fd,3b,cb,b0,2d,
81,e2,81,3e,1e,9e,e0,57,5a,93,61,46,4d,af,ca,ae,9e,6e,af,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,99,99,60,1c,73,
a6,31,59,cd,44,cd,b9,a6,33,6c,cd,ea,c5,db,9d,de,d4,ae,ca,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,33,ab,2e,0c,fa,
06,3b,37,b0,18,ed,a7,3f,8d,37,a4,14,8a,00,46,e8,37,6a,15,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,39,31,c5,48,62,
96,3a,9c,31,77,e1,ba,b1,f8,68,02,18,04,8b,99,da,87,8b,f2,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,19,06,76,08,61,
c1,ff,f0,83,6c,56,8b,a0,85,96,ab,c4,0e,d3,9d,7b,0b,7d,19,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,e2,79,28,bc,e0,
d1,82,2d,51,fa,6e,91,28,9e,14,cc,ff,ca,91,cf,93,a6,3f,02,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,b3,33,4c,a8,83,
eb,20,4f,b1,cd,45,5a,a8,c4,f8,b9,7a,c6,e4,25,aa,eb,0f,69,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,d7,3c,bc,8d,ac,
57,ae,c2,e3,0e,66,d5,eb,bc,2f,6b,e2,95,72,40,6a,04,5f,a7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,49,c1,e5,dd,b5,
c3,71,0b,fa,ea,66,7f,d4,3b,6b,70,6a,53,09,03,e5,99,31,78,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1484)
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll

- - - - - - - > 'lsass.exe'(1540)
c:\windows\system32\pwdmon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Insight\Tools\aiclient.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\windows\system32\ibmsmbus.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\IBM\Director\bin\twgipc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\IBM\Director\bin\twgescli.exe
c:\program files\IBM\Director\bin\twgmonit.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\RightFax\FaxCtrl.exe
c:\program files\MediaTracker\MediaTracker.exe
.
**************************************************************************
.
Completion time: 2009-02-10 11:03:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-10 17:03:14

Pre-Run: 7,513,126,912 bytes free
Post-Run: 7,445,664,768 bytes free

239 --- E O F --- 2009-01-15 18:03:24

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 10 February 2009 - 12:21 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\sdqehbpr.sys
c:\windows\system32\dpwsockq.dll
Driver::
sdqehbpr
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8A493E9-C3C3-4CAD-8E48-0D8B5048DDA2}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Krumthi

Krumthi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 10 February 2009 - 02:20 PM

The new log from Combofix.
I beleive this has worked because I would normally get a virus warning when I go into the system32 folder and this time I didn't. Also I saw that the file has finally been deleted from that folder so I beleive this has worked. I am running a full AV scan on it again at this moment but I am going to post this for you.

Thank you


ComboFix 09-02-08.02 - MCRguest 2009-02-10 11:35:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1435 [GMT -6:00]
Running from: c:\documents and settings\MCRGUEST\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MCRGUEST\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\dpwsockq.dll
c:\windows\system32\drivers\sdqehbpr.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dpwsockq.dll
c:\windows\system32\drivers\sdqehbpr.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SDQEHBPR
-------\Service_sdqehbpr


((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-04 15:22 . 2009-02-04 15:22 <DIR> d-------- c:\documents and settings\MCS021

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 17:41 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-08 22:05 --------- d-----w c:\program files\Insight
2009-02-04 21:49 --------- d-----w c:\program files\MP2ACC2000
2009-01-08 21:43 --------- d-----w c:\program files\CCleaner
2008-12-12 14:53 79,631,698 ----a-w C:\registry_complete.reg
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2003-05-01 15:36 114,688 ----a-w c:\program files\internet explorer\plugins\LV7ActiveXControl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-10_11.02.19.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-10 16:37:27 62,344 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-10 17:45:15 62,344 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-10 16:37:27 401,064 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-10 17:45:16 401,064 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-10 17:41:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_284.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-15 4616192]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\\FaxCtrl.exe" [2004-05-20 110592]
"eCopy Desktop Printer Service"="c:\progra~1\eCopy\Desktop\PCLprint\mrmlnc32.exe" [2004-11-19 86103]
"eCopy Desktop Inbox Monitor"="c:\progra~1\eCopy\Desktop\Bin\INBOXM~1.EXE" [2004-11-19 34816]
"SENAPCSecurity"="c:\progra~1\IBM\DIRECTOR\SENADIR42.EXE" [2005-02-22 491054]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-01 98304]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2005-06-13 192512]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2005-10-24 40960]
"MediaTracker"="c:\program files\MediaTracker\\MediaTracker.exe" [2006-12-12 1220608]
"Asset Insight SUM"="c:\program files\Insight\Tools\AISOFTMN.EXE" [2002-04-23 8091]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]
"nwiz"="nwiz.exe" [2004-11-15 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2005-08-04 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2005-01-10 12:36 24576 c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:UDP"= 4899:UDP:RAdmin
"4899:TCP"= 4899:TCP:RAdmin

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-04-27 6912]
R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [2002-12-03 35302]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2006-11-30 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-05-23 6899]
R2 gpib420;GPIB Analyzer;c:\windows\system32\drivers\gpib420.sys [2005-07-18 31334]
R2 GpibPrtK;Gpib Port;c:\windows\system32\drivers\GpibPrtK.sys [2005-07-18 199783]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-04-27 63616]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2005-07-11 163840]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-06-15 115952]
R2 TWGIPC;IBM Director Support Program;c:\program files\IBM\Director\bin\twgipcsv.exe [2004-10-05 53327]
R2 TWGSYSIN;TWGSYSIN;c:\windows\system32\drivers\twgsysin.sys [2004-10-05 7476]
R2 wmicimserver;IBM Director Agent WMI CIM Server;c:\program files\IBM\Director\cimom\bin\wmicimserver.exe [2004-07-14 401408]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2005-01-10 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-05-23 2773]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-11-17 9817]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-11 99376]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-11-17 117760]
S3 nipalusb;NI-PAL USB Driver;c:\windows\system32\drivers\nipalusb.sys [2005-07-15 91746]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NIPALK
*NewlyCreated* - SDQEHBPR

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29fb923c-0afa-11dd-a6f5-444553544200}]
\Shell\AutoRun\command - f:\bin\DX8000V.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f9d53e4-8147-11db-a690-806d6172696f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fa1d508-afd2-11db-a69f-444553544200}]
\Shell\AutoRun\command - e:\bin\DX8000V.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cc8b222-e9e7-11db-a6b1-444553544200}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf61193e-5632-11dc-a6cc-444553544200}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.us.schneider-electric.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: myEXTRA! 3270 Terminal (SSL) - hxxp://157.198.21.68/mcs/components/terminal3270/JavaClient/mainframe/3270TerminalSecure.cab
DPF: myEXTRA! English Support - hxxp://157.198.21.68/mcs/components/terminal3270/JavaClient/mainframe/en/Viewers_En.cab
DPF: myEXTRA! Terminal Feature Support - hxxp://157.198.21.68/mcs/components/terminal3270/JavaClient/ViewerFeatures.cab
DPF: {D09FD7B8-ED84-11D5-B755-00001C3AC034} - hxxp://cvgna06.us.schneider-electric.com/30/EtQOfficeInt.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 11:44:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,ad,2a,cb,1e,95,
bd,5c,62,c8,28,51,af,b0,29,a3,98,c6,16,17,2b,fc,81,7b,dd,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,96,94,56,d1,e3,
77,fd,8c,71,3b,04,66,8b,46,0d,96,06,6b,d0,1f,17,4f,87,20,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,62,54,ca,e7,fc,
36,e6,9d,25,da,ec,7e,55,20,c9,26,59,01,c9,16,85,ce,21,d5,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,fd,3b,cb,b0,2d,
81,e2,81,3e,1e,9e,e0,57,5a,93,61,46,4d,af,ca,ae,9e,6e,af,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,99,99,60,1c,73,
a6,31,59,cd,44,cd,b9,a6,33,6c,cd,ea,c5,db,9d,de,d4,ae,ca,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,33,ab,2e,0c,fa,
06,3b,37,b0,18,ed,a7,3f,8d,37,a4,14,8a,00,46,e8,37,6a,15,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,39,31,c5,48,62,
96,3a,9c,31,77,e1,ba,b1,f8,68,02,18,04,8b,99,da,87,8b,f2,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,19,06,76,08,61,
c1,ff,f0,83,6c,56,8b,a0,85,96,ab,c4,0e,d3,9d,7b,0b,7d,19,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,e2,79,28,bc,e0,
d1,82,2d,51,fa,6e,91,28,9e,14,cc,ff,ca,91,cf,93,a6,3f,02,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,b3,33,4c,a8,83,
eb,20,4f,b1,cd,45,5a,a8,c4,f8,b9,7a,c6,e4,25,aa,eb,0f,69,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,d7,3c,bc,8d,ac,
57,ae,c2,e3,0e,66,d5,eb,bc,2f,6b,e2,95,72,40,6a,04,5f,a7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,49,c1,e5,dd,b5,
c3,71,0b,fa,ea,66,7f,d4,3b,6b,70,6a,53,09,03,e5,99,31,78,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1496)
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll

- - - - - - - > 'lsass.exe'(1552)
c:\windows\system32\pwdmon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Insight\Tools\aiclient.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\windows\system32\ibmsmbus.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\IBM\Director\bin\twgipc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\IBM\Director\bin\twgescli.exe
c:\program files\IBM\Director\bin\twgmonit.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\RightFax\FaxCtrl.exe
c:\program files\MediaTracker\MediaTracker.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-02-10 11:49:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-10 17:49:24
ComboFix2.txt 2009-02-10 17:03:19

Pre-Run: 7,446,659,584 bytes free
Post-Run: 7,438,001,152 bytes free

248 --- E O F --- 2009-01-15 18:03:24

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 10 February 2009 - 02:54 PM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Krumthi

Krumthi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 10 February 2009 - 04:16 PM

Thanks A Ton!

The machine is now working with No viruses and there is nothing wrong at the moment!

I have ran A/V scan and it found nothing so I am assuming for the time being that this is closed!

once again, thanks a lot and I appericate every bit of it

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 10 February 2009 - 04:31 PM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 11 February 2009 - 07:31 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users