Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer getting restarted without any reason-NT Authority DCOM Server process launcher


  • This topic is locked This topic is locked
17 replies to this topic

#1 kunalthechamp

kunalthechamp

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:44 PM

Posted 25 February 2009 - 05:19 AM

Hi,
I have this message which keeps coming after every half an hour of using my computer. Its a pop up that says system has to be restarted by NT Authority. Under that it shows a time and gets restarted in 60 seconds. Under that it says DCOM Server Process Launcher failed. Sometimes I get the blue screen which says physical memory dump started and system gets restarted. I cannot install ad aware se. A pop up says installation cannot continue as it needs 256 MB Physical memory. The pop up usually comes when I run pctav or Malware bytes or any other scanner. Spybot-s&d did not do any good. No detection. Someone says I need to delete some win32.kill.av. I do not know what that is or how to delete the same. The problem occurred after I installed XP SP3 , IE 8.1. Please HELP !
DDS.txt log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by chimco at 15:38:04.29 on Wed 02/25/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.222.18 [GMT 5.5:30]

AV: PC Tools AntiVirus 3.1.2.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\NCH Software\ExpressInventory\expressinventory.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\NCH Software\ExpressInventory\expressinventory.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WinDriveGuard\DriveGuard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\chimco\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: {c7e6efa1-2ec2-4afe-a246-fd46b88d9da3} - c:\windows\system32\ati2dva.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WHITNEY_S2P] c:\program files\samsung\samsung scx-4x21 series\psu\Scan2pc.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ExpressInventory] "c:\program files\nch software\expressinventory\expressinventory.exe" -logon
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\driveg~1.lnk - c:\program files\windriveguard\DriveGuard.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
TCP: {77F9D428-CC67-41FB-8EED-76D687AA8E62} = 192.168.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R0 cshexnpa;cshexnpa;c:\windows\system32\drivers\iaqyuaay.dat --> c:\windows\system32\drivers\iaqyuaay.dat [?]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2007-11-24 15872]
R2 ExpressInventoryService;Express Inventory;c:\program files\nch software\expressinventory\expressinventory.exe [2009-1-20 753668]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2007-11-24 624216]
R2 SdReadSpool;SolidPDFCreatorReadSpool;c:\program files\soliddocuments\solidpdfcreator\spc\SolidPdfService.exe [2008-7-22 189688]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2007-11-24 22528]
S2 Windows Media_Player;Windows Media_Player;c:\program files\common files\microsoft shared\msinfo\Sever.exe [2009-1-4 386048]
S3 AVer;AVerTV PVR USB/EZMaker Pro USB Device;c:\windows\system32\drivers\AvEZPRO.sys [2004-6-8 1017600]
S3 EP800Camera;E-Video DC-100 USB Camera;c:\windows\system32\drivers\ep800vc.sys [2005-1-4 111456]
S3 ExpressInvoiceService;Express Invoice;c:\program files\nch software\expressinvoice\expressinvoice.exe [2009-1-20 946180]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\lv532av.sys --> c:\windows\system32\drivers\LV532AV.SYS [?]

=============== Created Last 30 ================

2009-02-25 15:20 <DIR> --d----- c:\program files\Trend Micro
2009-02-25 14:42 <DIR> --d----- c:\program files\filehippo.com
2009-02-25 13:23 180,224 a------- c:\windows\system32\cnvshell.dll
2009-02-25 13:23 <DIR> --d----- c:\program files\ImageConverter Plus
2009-02-24 14:42 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-24 14:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-24 12:13 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-02-24 12:11 <DIR> --d----- c:\windows\ERUNT
2009-02-24 12:01 <DIR> --d----- C:\SDFix
2009-02-23 15:19 <DIR> --d-h--- C:\BJPrinter
2009-02-23 14:57 <DIR> --dsh--- C:\INCINERATE
2009-02-21 17:56 <DIR> --d----- c:\docume~1\chimco\applic~1\Malwarebytes
2009-02-21 17:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-21 16:26 <DIR> --dsh--- c:\documents and settings\chimco\PrivacIE
2009-02-21 16:26 <DIR> --dsh--- c:\documents and settings\chimco\IETldCache
2009-02-21 15:41 <DIR> -cd-h--- c:\windows\ie8
2009-02-21 15:39 16,939,888 a------- c:\program files\IE8-WindowsXP-x86-ENU.exe
2009-02-21 14:59 13,686,112 a------- c:\program files\winzip112.exe
2009-02-21 13:19 <DIR> --d----- c:\program files\Adobe Reader 9 Installer
2009-02-20 17:50 102,912 -------- c:\windows\system32\dllcache\dpcdll.dll
2009-02-20 17:48 155,136 -------- c:\windows\system32\mssha.dll
2009-02-20 17:35 498,742 -------- c:\windows\system32\dllcache\dxmasf.dll
2009-02-20 17:35 294,912 -------- c:\windows\system32\dllcache\dlimport.exe
2009-02-20 17:35 152,064 -------- c:\windows\system32\dllcache\shmedia.dll
2009-02-20 17:35 208,896 -------- c:\windows\system32\dllcache\unregmp2.exe
2009-02-20 17:35 73,728 -------- c:\windows\system32\dllcache\wmplayer.exe
2009-02-20 17:35 2,940,928 -------- c:\windows\system32\dllcache\wmploc.dll
2009-02-20 17:26 <DIR> --d----- c:\windows\network diagnostic
2009-02-20 17:25 144,384 -------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-20 17:25 10,240 -------- c:\windows\system32\drivers\sffp_mmc.sys
2009-02-20 17:17 19,569 a------- c:\windows\005567_.tmp
2009-02-20 16:04 20,632 a------- c:\windows\system32\dopdfmn6.dll
2009-02-20 16:04 18,072 a------- c:\windows\system32\dopdfmi6.dll
2009-02-20 16:04 7,533 a------- c:\windows\system32\dopdf6.ctm
2009-02-20 16:03 <DIR> --d----- c:\program files\Softland
2009-02-20 14:31 <DIR> --d----- C:\kunal
2009-02-20 14:19 <DIR> --d----- c:\docume~1\chimco\applic~1\TeamViewer
2009-02-20 14:19 <DIR> --d----- c:\documents and settings\chimco\temp
2009-02-20 14:16 331,805,736 a------- c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-02-20 14:12 <DIR> --d----- c:\program files\common files\xing shared
2009-02-20 14:11 <DIR> --d----- c:\program files\common files\Real
2009-02-20 14:06 353,840 a------- c:\program files\RealPlayer11GOLD.exe
2009-02-18 11:54 6,200,817 a------- c:\program files\EDR.zip
2009-02-03 16:10 <DIR> --d----- c:\program files\Karen's Power Tools
2009-02-03 16:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Karen's Power Tools
2009-02-03 16:09 906,904 a------- c:\program files\ptprnlog-setup.exe

==================== Find3M ====================

2009-02-25 13:13 5,632 a--sh--- c:\program files\Thumbs.db
2009-02-21 15:31 99,072 a------- c:\program files\Winzip 11.1 crack.rar
2009-02-20 18:04 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-20 14:11 348,160 a------- c:\windows\system32\msvcr71.dll
2009-02-20 14:11 499,712 a------- c:\windows\system32\msvcp71.dll
2009-01-22 12:45 205,444 a------- c:\program files\BrainBot_v101_DEMO.zip
2009-01-20 16:37 373,416 a------- c:\program files\invsetup.exe
2009-01-20 16:24 415,912 a------- c:\program files\eisetup.exe
2009-01-17 12:15 112,486 a------- c:\windows\hpoins07.dat
2009-01-15 02:17 636,264 -------- c:\windows\system32\dllcache\iexplore.exe
2009-01-15 02:17 392,040 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-01-15 02:13 5,888,512 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-15 02:06 1,182,720 -------- c:\windows\system32\dllcache\urlmon.dll
2009-01-15 02:06 236,544 -------- c:\windows\system32\dllcache\webcheck.dll
2009-01-15 02:06 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 911,872 -------- c:\windows\system32\dllcache\wininet.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:05 193,536 -------- c:\windows\system32\dllcache\msrating.dll
2009-01-15 02:05 109,056 -------- c:\windows\system32\dllcache\occache.dll
2009-01-15 02:05 43,008 -------- c:\windows\system32\dllcache\licmgr10.dll
2009-01-15 02:04 755,200 -------- c:\windows\system32\dllcache\VGX.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:04 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-01-15 02:04 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-01-15 02:02 611,840 -------- c:\windows\system32\dllcache\mstime.dll
2009-01-15 02:01 183,808 -------- c:\windows\system32\dllcache\iepeers.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:01 34,304 -------- c:\windows\system32\dllcache\imgutil.dll
2009-01-15 02:01 348,160 -------- c:\windows\system32\dllcache\dxtmsft.dll
2009-01-15 02:01 46,592 -------- c:\windows\system32\dllcache\pngfilt.dll
2009-01-15 02:01 216,064 -------- c:\windows\system32\dllcache\dxtrans.dll
2009-01-15 02:01 66,560 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 48,128 -------- c:\windows\system32\dllcache\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 02:00 45,568 -------- c:\windows\system32\dllcache\mshta.exe
2009-01-15 01:53 68,608 -------- c:\windows\system32\dllcache\hmmapi.dll
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-15 01:50 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-01-07 16:33 2,697,168 a------- c:\program files\mbam-setup.exe
2008-12-24 13:24 2,959,376 a------- c:\program files\dotnetfx35setup.exe
2008-12-22 17:04 737,280 a------- c:\windows\iun6002.exe
2008-11-21 13:40 607,640 a------- c:\program files\xpiinstall-6u10-fcs-bin-b92-windows-i586-09_nov_2008.exe
2008-11-18 14:59 67,167,528 a------- c:\program files\iTunes801Setup.exe
2008-10-07 15:32 1,308,673 a------- c:\program files\BseMktWatch.exe
2007-10-30 16:06 8,322,121 ac------ c:\program files\qtsetup.exe
2007-08-13 15:24 43,168 ac------ c:\docume~1\chimco\applic~1\GDIPFONTCACHEV1.DAT
2007-07-14 17:42 20,179,288 a------- c:\program files\20070713-017-x86.exe
2007-05-28 02:52 19,532,248 a------- c:\program files\avinstall.exe
2007-04-24 02:28 84,038,922 a------- c:\program files\Nero.Burning.Rom.7.8.5.part2.rar
2007-04-23 03:36 100,431,872 a------- c:\program files\Nero.Burning.Rom.7.8.5.part1.rar
2004-01-15 14:04 4,228,953 a------- c:\program files\winamp501_full.exe
2001-06-15 22:19 1,259,960 a------- c:\program files\winzip80.exe
2008-03-13 11:08 401,408 a--sh--- c:\windows\Knight.exe
2008-04-15 01:54 386,048 ---sh--- c:\windows\system32\_Sever.exe
2008-06-06 18:43 324,384 a--sh--- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 15:38:49.42 ===============

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

 

Follow BleepingComputer on: Facebook | Twitter | Google+


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:14 PM

Posted 25 February 2009 - 06:08 AM

Hi,

It looks like your PCTools Antivirus didn't do a good job..

Anyway, I see you're not afraid of visiting cracksites and other illegal sites, because I see cracks present here. No wonder your computer is infected.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :thumbup2:
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Don't forget to change your passwords afterwards, once we are done with this thread, because they are known. Don't change them now, because as long as the malware is still present, it will gather the changed passwords as well.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kunalthechamp

kunalthechamp
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:44 PM

Posted 26 February 2009 - 03:48 AM

Hey,
Thanks so much for your reply. I was irritated by this malware. However Id like to tell you that I used to visit crack sites often but never got a problem. Only after installing SP3 and IE 8.0 this problem started. I visited the sites after the problem started. I am afraid of visiting cracksites and other illegal sites but the lure of free software overrides the fear. I will not visit any sites now on ! Also please suggest a good spyware and antivirus. This computer is on a network. Do you think all the other computers on the network might have been infected ? Is there a way to check wether the malware really pose a threat ? Because I access company accounts from this computer and I will have to change the passwords of all company accounts and inform all my colleagues and my boss is gonna slaughter me !! I have learnt my lesson and am gonna stop visiting all of these sites. Promise ! Can we remove all the cracks or undo all the previous mistakes or something like that ? It is impossible to change all passwords as this machine is used by other people also and how do I ask them to change it ? :thumbup2: Is there a way to show me all passwords I entered since that date or something ? Do you really think there are people sitting there collecting my information and accessing website with my passwords ? Is there a way to find out the same ? Please tell me there is ! So I can change only the stolen passwords.


Log :
ComboFix 09-02-25.02 - chimco 2009-02-26 13:56:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.222.16 [GMT 5.5:30]
Running from: c:\documents and settings\chimco\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\knight.exe
c:\windows\recover.reg
c:\windows\regedit.com
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekakyabrnlg.sys
c:\windows\system32\senekajskwkmpp.dll
c:\windows\system32\senekaouurcvms.dll
c:\windows\system32\senekaunbiismf.dat
c:\windows\system32\senekawupkdlde.dat
c:\windows\system32\senekayxobhbfa.dll
c:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_ODBCASVC
-------\Legacy_WINDOWS_MEDIA_PLAYER
-------\Service_Windows Media_Player


((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-25 15:20 . 2009-02-25 15:20 <DIR> d-------- c:\program files\Trend Micro
2009-02-25 14:42 . 2009-02-25 14:42 <DIR> d-------- c:\program files\filehippo.com
2009-02-25 14:34 . 2009-02-25 14:34 156,034 --a------ c:\program files\FHSetup.exe
2009-02-25 13:23 . 2009-02-25 16:19 <DIR> d-------- c:\program files\ImageConverter Plus
2009-02-25 13:23 . 2009-02-06 19:33 180,224 --a------ c:\windows\system32\cnvshell.dll
2009-02-25 13:15 . 2009-02-25 13:20 8,867,112 --a------ c:\program files\converter.exe
2009-02-24 14:42 . 2009-02-24 14:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-24 14:42 . 2009-02-24 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-24 14:29 . 2009-02-24 14:33 16,409,960 --a------ c:\program files\spybotsd162.exe
2009-02-24 14:26 . 2009-02-24 14:27 812,344 --a------ c:\program files\HJTInstall.exe
2009-02-24 12:13 . 2009-02-24 12:13 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-24 12:11 . 2009-02-24 12:11 <DIR> d-------- c:\windows\ERUNT
2009-02-24 12:01 . 2009-02-24 12:31 <DIR> d-------- C:\SDFix
2009-02-23 15:19 . 2009-02-23 15:19 <DIR> d--h----- C:\BJPrinter
2009-02-23 14:57 . 2009-02-23 14:57 <DIR> d--hs---- C:\INCINERATE
2009-02-21 17:56 . 2009-02-21 17:56 <DIR> d-------- c:\documents and settings\chimco\Application Data\Malwarebytes
2009-02-21 17:56 . 2009-02-21 17:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-21 17:08 . 2009-02-24 13:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 16:26 . 2009-02-21 16:26 <DIR> d--hs---- c:\documents and settings\chimco\PrivacIE
2009-02-21 16:26 . 2009-02-21 16:26 <DIR> d--hs---- c:\documents and settings\chimco\IETldCache
2009-02-21 15:41 . 2009-02-21 15:51 <DIR> d--h-c--- c:\windows\ie8
2009-02-21 15:39 . 2009-02-21 15:39 16,939,888 --a------ c:\program files\IE8-WindowsXP-x86-ENU.exe
2009-02-21 15:09 . 2009-02-21 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-02-21 15:06 . 2009-02-23 15:18 <DIR> d-------- c:\program files\Google
2009-02-21 14:59 . 2009-02-21 15:06 13,686,112 --a------ c:\program files\winzip112.exe
2009-02-21 13:36 . 2009-02-21 13:36 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-21 13:19 . 2009-02-21 13:24 <DIR> d-------- c:\program files\Adobe Reader 9 Installer
2009-02-21 13:09 . 2009-02-21 13:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-20 17:50 . 2008-04-14 05:40 102,912 --------- c:\windows\system32\dllcache\dpcdll.dll
2009-02-20 17:48 . 2009-02-20 17:48 <DIR> d-------- c:\windows\system32\scripting
2009-02-20 17:35 . 2008-04-13 22:58 2,940,928 --------- c:\windows\system32\dllcache\wmploc.dll
2009-02-20 17:35 . 2008-04-14 05:41 498,742 --------- c:\windows\system32\dllcache\dxmasf.dll
2009-02-20 17:35 . 2008-04-14 05:42 294,912 --------- c:\windows\system32\dllcache\dlimport.exe
2009-02-20 17:35 . 2008-04-14 05:42 208,896 --------- c:\windows\system32\dllcache\unregmp2.exe
2009-02-20 17:35 . 2008-04-14 05:42 152,064 --------- c:\windows\system32\dllcache\shmedia.dll
2009-02-20 17:35 . 2008-04-14 05:42 73,728 --------- c:\windows\system32\dllcache\wmplayer.exe
2009-02-20 17:25 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-20 17:25 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2009-02-20 17:17 . 2006-12-29 00:31 19,569 --a------ c:\windows\005567_.tmp
2009-02-20 16:08 . 2009-02-20 16:08 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Softland
2009-02-20 16:04 . 2009-02-06 16:01 20,632 --a------ c:\windows\system32\dopdfmn6.dll
2009-02-20 16:04 . 2009-02-06 16:01 18,072 --a------ c:\windows\system32\dopdfmi6.dll
2009-02-20 16:04 . 2008-10-13 15:23 7,533 --a------ c:\windows\system32\dopdf6.ctm
2009-02-20 16:03 . 2009-02-20 16:03 <DIR> d-------- c:\program files\Softland
2009-02-20 14:31 . 2009-02-20 15:05 <DIR> d-------- C:\kunal
2009-02-20 14:19 . 2009-02-20 14:19 <DIR> d-------- c:\documents and settings\chimco\temp
2009-02-20 14:19 . 2009-02-20 14:19 <DIR> d-------- c:\documents and settings\chimco\Application Data\TeamViewer
2009-02-20 14:16 . 2009-02-20 16:32 331,805,736 --a------ c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-02-20 14:12 . 2009-02-20 14:12 <DIR> d-------- c:\program files\Common Files\xing shared
2009-02-20 14:11 . 2009-02-20 14:11 <DIR> d-------- c:\program files\Real
2009-02-20 14:11 . 2009-02-20 14:12 <DIR> d-------- c:\program files\Common Files\Real
2009-02-20 14:06 . 2009-02-20 14:06 353,840 --a------ c:\program files\RealPlayer11GOLD.exe
2009-02-18 11:54 . 2009-02-18 11:57 6,200,817 --a------ c:\program files\EDR.zip
2009-02-03 16:10 . 2009-02-03 16:10 <DIR> d-------- c:\program files\Karen's Power Tools
2009-02-03 16:10 . 2009-02-03 16:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Karen's Power Tools
2009-02-03 16:09 . 2009-02-03 16:09 906,904 --a------ c:\program files\ptprnlog-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 08:33 --------- d-----w c:\program files\PC Tools AntiVirus
2009-02-25 07:43 5,632 --sha-w c:\program files\Thumbs.db
2009-02-23 09:32 --------- d-----w c:\documents and settings\chimco\Application Data\SolidDocuments
2009-02-23 09:31 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-23 09:27 --------- d-----w c:\program files\iolo
2009-02-21 10:01 99,072 ----a-w c:\program files\Winzip 11.1 crack.rar
2009-02-21 08:10 --------- d-----w c:\program files\Common Files\Adobe
2009-02-21 07:30 --------- d-----w c:\program files\QuoteTracker
2009-01-22 07:15 205,444 ----a-w c:\program files\BrainBot_v101_DEMO.zip
2009-01-20 11:11 --------- d-----w c:\program files\NCH Software
2009-01-20 11:11 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2009-01-20 11:07 373,416 ----a-w c:\program files\invsetup.exe
2009-01-20 11:00 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-01-20 10:54 415,912 ----a-w c:\program files\eisetup.exe
2009-01-07 11:03 2,697,168 ----a-w c:\program files\mbam-setup.exe
2009-01-07 09:56 --------- d-----w c:\program files\Ulead Systems
2009-01-07 09:56 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-01-07 09:49 --------- d-----w c:\program files\Common Files\Ulead Systems
2009-01-03 21:11 --------- d-----w c:\program files\AVerUSB
2009-01-03 20:19 --------- d-----w c:\program files\tally546
2009-01-03 20:18 --------- d-----w c:\program files\PowerDVD XP4
2009-01-03 10:11 --------- d-----w c:\program files\WIDCOMM
2008-12-29 06:12 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-24 07:54 2,959,376 ----a-w c:\program files\dotnetfx35setup.exe
2008-12-22 11:34 737,280 ----a-w c:\windows\iun6002.exe
2008-11-21 08:10 607,640 ----a-w c:\program files\xpiinstall-6u10-fcs-bin-b92-windows-i586-09_nov_2008.exe
2008-11-18 09:29 67,167,528 ----a-w c:\program files\iTunes801Setup.exe
2008-10-07 10:02 1,308,673 ----a-w c:\program files\BseMktWatch.exe
2007-10-30 10:36 8,322,121 -c--a-w c:\program files\qtsetup.exe
2007-08-13 09:54 43,168 -c--a-w c:\documents and settings\chimco\Application Data\GDIPFONTCACHEV1.DAT
2007-07-14 12:12 20,179,288 ----a-w c:\program files\20070713-017-x86.exe
2007-05-27 21:22 19,532,248 ----a-w c:\program files\avinstall.exe
2007-04-23 20:58 84,038,922 ----a-w c:\program files\Nero.Burning.Rom.7.8.5.part2.rar
2007-04-22 22:06 100,431,872 ----a-w c:\program files\Nero.Burning.Rom.7.8.5.part1.rar
2004-01-15 08:34 4,228,953 ----a-w c:\program files\winamp501_full.exe
2001-06-15 16:49 1,259,960 ----a-w c:\program files\winzip80.exe
2008-04-14 20:24 386,048 --sh--w c:\windows\system32\_Sever.exe
2008-06-06 13:13 324,384 --sha-w c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7E6EFA1-2EC2-4AFE-A246-FD46B88D9DA3}]
2008-10-11 12:59 116992 --a------ c:\windows\system32\ati2dva.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WHITNEY_S2P"="c:\program files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe" [2006-03-27 229376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2008-12-03 1074736]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"ExpressInventory"="c:\program files\NCH Software\ExpressInventory\expressinventory.exe" [2009-01-20 753668]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-20 185872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-11-10 507965]
DriveGuard.lnk - c:\program files\WinDriveGuard\DriveGuard.exe [2008-11-21 434347]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.UV12"= aoxdxipl.ax
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0smrgdf c:\program files\iolo\System Mechanic 4\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-03-12 18:53 1055792 c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2007-03-09 18:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a--c--- 2007-03-12 18:54 1626160 c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\chimco\\Desktop\\KARL STORZ (E)\\pb\\PBAS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"\\\\Chimco7\\C\\Program Files\\Fomine LAN Chat\\LANChat.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"96:TCP"= 96:TCP:Express Invoice Web Server
"89:TCP"= 89:TCP:FlexiServer Web Server
"97:TCP"= 97:TCP:Express Inventory Web Server

R0 cshexnpa;cshexnpa;c:\windows\system32\drivers\iaqyuaay.dat --> c:\windows\system32\drivers\iaqyuaay.dat [?]
S3 AVer;AVerTV PVR USB/EZMaker Pro USB Device;c:\windows\system32\drivers\AvEZPRO.sys [2004-06-08 1017600]
S3 EP800Camera;E-Video DC-100 USB Camera;c:\windows\system32\drivers\ep800vc.sys [2005-01-04 111456]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS --> c:\windows\system32\DRIVERS\LV532AV.SYS [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - Browser
*Deregistered* - btwdins
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - ExpressInventoryService
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - InCDsrv
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - MWAgent
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NMIndexingService
*Deregistered* - PCTAVSvc
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - SdReadSpool
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d2a27f0-aa11-11dc-8696-00116700eee8}]
\Shell\Auto\command - G:\Sever.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sever.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98d1acc1-b7ae-11dd-abec-00c09f65db7a}]
\Shell\Auto\command - F:\Sever.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sever.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afcf0040-a892-11dc-8694-00116700eee8}]
\Shell\AutoRun\command - f:\system\DriveGuard\DriveProtect.exe -run 
\Shell\Explore\Command - f:\system\DriveGuard\DriveProtect.exe -run  
\Shell\Open\Command - f:\system\DriveGuard\DriveProtect.exe -run 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd610070-f367-11dd-ac42-00116700eee8}]
\Shell\AutoRun\command - f:\system\DriveGuard\DriveProtect.exe -run 
\Shell\Explore\Command - f:\system\DriveGuard\DriveProtect.exe -run  
\Shell\Open\Command - f:\system\DriveGuard\DriveProtect.exe -run 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1CB622F9-7299-4245-0705-080208070506}]
c:\windows\system32\SecSystem.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\WebReg Officejet 5600 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-12 00:21]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {77F9D428-CC67-41FB-8EED-76D687AA8E62} = 192.168.0.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 14:05:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cshexnpa]
"ImagePath"="system32\drivers\iaqyuaay.dat"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2009-02-26 14:12:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-26 08:42:25

Pre-Run: 3,805,662,720 bytes free
Post-Run: 3,707,376,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\ = "Microsoft Windows"

336 --- E O F --- 2007-11-02 07:35:03

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 kunalthechamp

kunalthechamp
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:44 PM

Posted 26 February 2009 - 03:49 AM

O ya and also in the middle of the scan it said there was some rootkit activity or something and it asked me to note it down on paper as it might need it later and then when I clicked ok my system got rebooted.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:14 PM

Posted 26 February 2009 - 04:55 AM

Hi,

It looks like you got yourself in a difficult situation here as this computer is used for work as well.
Yes, ALL passwords should be changed because you were/are dealing with a backdoor (actually several different backdoors) which steals important info and passwords... and yes, also contact your supervisors to make them aware of the situation. Not doing so will be irresponsible.
And yes, all other computers may be infected as well, since I see you're also dealing with a Flashdrive infection on top and leftovers from a PoisonIvy infection. How long has this computer been infected? I see references to a backdoor, already from last year. You probably never noticed since your scanner didn't detect it. Hence, not sure either if you actually had an Antivirus before.

However Id like to tell you that I used to visit crack sites often but never got a problem

Times have changed. Nowadays malware is mainly designed to collect important info, mainly passwords. The one who got access via the backdoor that was installed collects it and sells the login credentials on the internet or via IRC.
The c:\program files\Winzip 11.1 crack.rar is the reason why you got infected and not the IE8 install or SP3 update.
The following instructions will also remove the other potential illegal software installers that I can see in the logs.

So, I really hope you have learned your lesson this time. It's a risk you cannot take, especially since you use this computer for work.

Anyway, we still have to clean here, because you're actually dealing with several different nasty types of malware...

First of all, uninstall WinDriveGuard if present in add&remove programs, because it's a variant of this one. If not present in add&remove programs, don't worry.. we'll deal with it manually anyway.

* Download Flash_Disinfector.exe from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • Your desktop and icons will disappear. This is normal.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. This is a really important step.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\SecSystem.exe
c:\windows\system32\drivers\iaqyuaay.dat
c:\program files\Winzip 11.1 crack.rar
c:\documents and settings\All Users\Start Menu\Programs\Startup\DriveGuard.lnk
c:\windows\system32\ati2dva.dll
c:\windows\system32\_Sever.exe
c:\program files\winzip112.exe
c:\program files\qtsetup.exe
c:\program files\20070713-017-x86.exe
c:\program files\avinstall.exe
c:\program files\Nero.Burning.Rom.7.8.5.part2.rar
c:\program files\Nero.Burning.Rom.7.8.5.part1.rar
Folder::
C:\SDFix
f:\system\DriveGuard
c:\program files\WinDriveGuard
Driver::
cshexnpa
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7E6EFA1-2EC2-4AFE-A246-FD46B88D9DA3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afcf0040-a892-11dc-8694-00116700eee8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd610070-f367-11dd-ac42-00116700eee8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d2a27f0-aa11-11dc-8696-00116700eee8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98d1acc1-b7ae-11dd-abec-00c09f65db7a}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1CB622F9-7299-4245-0705-080208070506}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

I'll give you another Antivirus alternative afterwards. Please help me to remind it.

Edited by miekiemoes, 26 February 2009 - 04:56 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 kunalthechamp

kunalthechamp
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:44 PM

Posted 26 February 2009 - 06:23 AM

The link does not work.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:14 PM

Posted 26 February 2009 - 06:28 AM

Just proceed with the rest... Combofix also deals with flashdrive infections anyway (and disables autorun/autoplay as it should be).
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 kunalthechamp

kunalthechamp
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:44 PM

Posted 26 February 2009 - 06:37 AM

should I skip the flash disinfector part ? and go to the script copying part ?

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:14 PM

Posted 26 February 2009 - 06:39 AM

Yes, that's what I said :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 kunalthechamp

kunalthechamp
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:44 PM

Posted 26 February 2009 - 07:04 AM

Hey,
Does that mean I have to follow the same procedure that you told me to follow on this system on every other system in my network ? Including combofix etc ? I did inform my boss and he was wild ! The flash drive infection , I ignored as I thought it was a windows application to safeguard my flash drives. This computer may have been infected since I dunno when. But this problem has been only since a week. My antivirus scanner was never switched on for real time protection or was never effective. That is scary ! If he sells the login information etc. Im sure they don’t use the normal email accounts etc and only the netbanking passwords etc. OMG ! I used the winzip crack on mostly all computers ! I have learnt my lesson big time ! It is not present in add remove. This drive guard is there on all my computers ! Should I run flash disinfector on all pcs or follow the same instructions as you gave for this system ?

Log :

ComboFix 09-02-25.02 - chimco 2009-02-26 17:14:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.222.58 [GMT 5.5:30]
Running from: c:\documents and settings\chimco\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\chimco\Desktop\CFScript.txt
AV: PC Tools AntiVirus 3.1.2.0 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Start Menu\Programs\Startup\DriveGuard.lnk
c:\program files\20070713-017-x86.exe
c:\program files\avinstall.exe
c:\program files\Nero.Burning.Rom.7.8.5.part1.rar
c:\program files\Nero.Burning.Rom.7.8.5.part2.rar
c:\program files\qtsetup.exe
c:\program files\Winzip 11.1 crack.rar
c:\program files\winzip112.exe
c:\windows\system32\_Sever.exe
c:\windows\system32\ati2dva.dll
c:\windows\system32\drivers\iaqyuaay.dat
c:\windows\system32\SecSystem.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\DriveGuard.lnk
c:\program files\20070713-017-x86.exe
c:\program files\avinstall.exe
c:\program files\Nero.Burning.Rom.7.8.5.part1.rar
c:\program files\Nero.Burning.Rom.7.8.5.part2.rar
c:\program files\qtsetup.exe
c:\program files\WinDriveGuard
c:\program files\WinDriveGuard\DriveGuard.exe
c:\program files\WinDriveGuard\ReadMe.txt
c:\program files\Winzip 11.1 crack.rar
c:\program files\winzip112.exe
C:\SDFix
c:\sdfix\Add_DBFix_RunOnce_key.inf
c:\sdfix\apps\assosfix.reg
c:\sdfix\apps\Cghtme.exe
c:\sdfix\apps\cliptext.exe
c:\sdfix\apps\DBFix.inf
c:\sdfix\apps\download.exe
c:\sdfix\apps\dummy.sys
c:\sdfix\apps\Enable_Command_Prompt.inf
c:\sdfix\apps\Enable_Command_Prompt.reg
c:\sdfix\apps\ERDNT.E_E
c:\sdfix\apps\ERDNTDOS.LOC
c:\sdfix\apps\ERDNTWIN.LOC
c:\sdfix\apps\ERUNT.EXE
c:\sdfix\apps\ERUNT.LOC
c:\sdfix\apps\fix.reg
c:\sdfix\apps\FixBeep.reg
c:\sdfix\apps\FixBH.reg
c:\sdfix\apps\FixComponents.reg
c:\sdfix\apps\FIXCU.reg
c:\sdfix\apps\FIXLM.reg
c:\sdfix\apps\FixPath.exe
c:\sdfix\apps\FixRedir.reg
c:\sdfix\apps\FixSchedule.reg
c:\sdfix\apps\FixWebCheck.reg
c:\sdfix\apps\fixXP.reg
c:\sdfix\apps\FixXPsp2.reg
c:\sdfix\apps\grep.exe
c:\sdfix\apps\HaxdFix.reg
c:\sdfix\apps\HPFix.reg
c:\sdfix\apps\HPFix2.reg
c:\sdfix\apps\HPFix3.reg
c:\sdfix\apps\HPFix4.reg
c:\sdfix\apps\HPFix5.reg
c:\sdfix\apps\HPFix6.reg
c:\sdfix\apps\HPFix7.reg
c:\sdfix\apps\HPFix8.reg
c:\sdfix\apps\HPFix9.reg
c:\sdfix\apps\Installed.txt
c:\sdfix\apps\isadmin.exe
c:\sdfix\apps\leg2.txt
c:\sdfix\apps\legacy.txt
c:\sdfix\apps\legacybk.txt
c:\sdfix\apps\locate.com
c:\sdfix\apps\LS.exe
c:\sdfix\apps\MD5File.exe
c:\sdfix\apps\moveex.exe
c:\sdfix\apps\MyGcpvFix.reg
c:\sdfix\apps\MyGkFix2.reg
c:\sdfix\apps\Process.exe
c:\sdfix\apps\procs.exe
c:\sdfix\apps\psservice.exe
c:\sdfix\apps\Rem.txt
c:\sdfix\apps\Rem2.txt
c:\sdfix\apps\Replace\regedit.exe
c:\sdfix\apps\Replace\w2k\AUTOEXEC.NT
c:\sdfix\apps\Replace\w2k\beep.sys
c:\sdfix\apps\Replace\w2k\command.com
c:\sdfix\apps\Replace\w2k\command.PIF
c:\sdfix\apps\Replace\w2k\CONFIG.NT
c:\sdfix\apps\Replace\w2k\null.sys
c:\sdfix\apps\Replace\xp\AUTOEXEC.NT
c:\sdfix\apps\Replace\xp\beep.sys
c:\sdfix\apps\Replace\xp\command.com
c:\sdfix\apps\Replace\xp\command.PIF
c:\sdfix\apps\Replace\xp\CONFIG.NT
c:\sdfix\apps\Replace\xp\null.sys
c:\sdfix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\apps\RestartIt!.exe
c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
c:\sdfix\apps\Restore_SecurityCenter.reg
c:\sdfix\apps\Restore_SharedAccess.reg
c:\sdfix\apps\sc.exe
c:\sdfix\apps\sed.exe
c:\sdfix\apps\SF.exe
c:\sdfix\apps\shutdown.exe
c:\sdfix\apps\srv2.txt
c:\sdfix\apps\srv2bk.txt
c:\sdfix\apps\svc.txt
c:\sdfix\apps\svcbk.txt
c:\sdfix\apps\Swreg.exe
c:\sdfix\apps\swsc.exe
c:\sdfix\apps\UnRAR.exe
c:\sdfix\apps\unzip.exe
c:\sdfix\apps\vfind.exe
c:\sdfix\apps\WINMSG.EXE
c:\sdfix\apps\winsec.reg
c:\sdfix\apps\zip.exe
c:\sdfix\backups\backupreg.zip
c:\sdfix\backups\backups.zip
c:\sdfix\backups\catchme.log
c:\sdfix\backups\HOSTS
c:\sdfix\catchme.exe
c:\sdfix\DBFix.bat
c:\sdfix\dummy.sys
c:\sdfix\Report.txt
c:\sdfix\RunThis.bat
c:\sdfix\SDFIX_ReadMe_Online.url
c:\sdfix\W2K_VirusAlert_Repair.inf
c:\sdfix\XP_VirusAlert_Repair.inf
c:\windows\system32\_Sever.exe
c:\windows\system32\ati2dva.dll
c:\windows\system32\drivers\iaqyuaay.dat
c:\windows\system32\SecSystem.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CSHEXNPA
-------\Service_cshexnpa


((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-26 16:48 . 2009-02-26 16:48 46 --a------ C:\autorun.inf.bak
2009-02-26 15:28 . 2009-02-26 15:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-02-25 15:20 . 2009-02-25 15:20 <DIR> d-------- c:\program files\Trend Micro
2009-02-25 14:42 . 2009-02-25 14:42 <DIR> d-------- c:\program files\filehippo.com
2009-02-25 14:34 . 2009-02-25 14:34 156,034 --a------ c:\program files\FHSetup.exe
2009-02-25 13:23 . 2009-02-25 16:19 <DIR> d-------- c:\program files\ImageConverter Plus
2009-02-25 13:23 . 2009-02-06 19:33 180,224 --a------ c:\windows\system32\cnvshell.dll
2009-02-25 13:15 . 2009-02-25 13:20 8,867,112 --a------ c:\program files\converter.exe
2009-02-24 14:42 . 2009-02-24 14:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-24 14:42 . 2009-02-24 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-24 14:29 . 2009-02-24 14:33 16,409,960 --a------ c:\program files\spybotsd162.exe
2009-02-24 14:26 . 2009-02-24 14:27 812,344 --a------ c:\program files\HJTInstall.exe
2009-02-24 12:13 . 2009-02-24 12:13 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-24 12:11 . 2009-02-24 12:11 <DIR> d-------- c:\windows\ERUNT
2009-02-23 15:19 . 2009-02-23 15:19 <DIR> d--h----- C:\BJPrinter
2009-02-23 14:57 . 2009-02-23 14:57 <DIR> d--hs---- C:\INCINERATE
2009-02-21 17:56 . 2009-02-21 17:56 <DIR> d-------- c:\documents and settings\chimco\Application Data\Malwarebytes
2009-02-21 17:56 . 2009-02-21 17:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-21 17:08 . 2009-02-24 13:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 16:26 . 2009-02-21 16:26 <DIR> d--hs---- c:\documents and settings\chimco\PrivacIE
2009-02-21 16:26 . 2009-02-21 16:26 <DIR> d--hs---- c:\documents and settings\chimco\IETldCache
2009-02-21 15:41 . 2009-02-21 15:51 <DIR> d--h-c--- c:\windows\ie8
2009-02-21 15:39 . 2009-02-21 15:39 16,939,888 --a------ c:\program files\IE8-WindowsXP-x86-ENU.exe
2009-02-21 15:09 . 2009-02-21 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-02-21 15:06 . 2009-02-23 15:18 <DIR> d-------- c:\program files\Google
2009-02-21 13:36 . 2009-02-21 13:36 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-21 13:19 . 2009-02-21 13:24 <DIR> d-------- c:\program files\Adobe Reader 9 Installer
2009-02-21 13:09 . 2009-02-21 13:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-20 17:50 . 2008-04-14 05:40 102,912 --------- c:\windows\system32\dllcache\dpcdll.dll
2009-02-20 17:48 . 2009-02-20 17:48 <DIR> d-------- c:\windows\system32\scripting
2009-02-20 17:35 . 2008-04-13 22:58 2,940,928 --------- c:\windows\system32\dllcache\wmploc.dll
2009-02-20 17:35 . 2008-04-14 05:41 498,742 --------- c:\windows\system32\dllcache\dxmasf.dll
2009-02-20 17:35 . 2008-04-14 05:42 294,912 --------- c:\windows\system32\dllcache\dlimport.exe
2009-02-20 17:35 . 2008-04-14 05:42 208,896 --------- c:\windows\system32\dllcache\unregmp2.exe
2009-02-20 17:35 . 2008-04-14 05:42 152,064 --------- c:\windows\system32\dllcache\shmedia.dll
2009-02-20 17:35 . 2008-04-14 05:42 73,728 --------- c:\windows\system32\dllcache\wmplayer.exe
2009-02-20 17:25 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-20 17:25 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2009-02-20 17:17 . 2006-12-29 00:31 19,569 --a------ c:\windows\005567_.tmp
2009-02-20 16:08 . 2009-02-20 16:08 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Softland
2009-02-20 16:04 . 2009-02-06 16:01 20,632 --a------ c:\windows\system32\dopdfmn6.dll
2009-02-20 16:04 . 2009-02-06 16:01 18,072 --a------ c:\windows\system32\dopdfmi6.dll
2009-02-20 16:04 . 2008-10-13 15:23 7,533 --a------ c:\windows\system32\dopdf6.ctm
2009-02-20 16:03 . 2009-02-20 16:03 <DIR> d-------- c:\program files\Softland
2009-02-20 14:31 . 2009-02-20 15:05 <DIR> d-------- C:\kunal
2009-02-20 14:19 . 2009-02-20 14:19 <DIR> d-------- c:\documents and settings\chimco\temp
2009-02-20 14:19 . 2009-02-20 14:19 <DIR> d-------- c:\documents and settings\chimco\Application Data\TeamViewer
2009-02-20 14:16 . 2009-02-20 16:32 331,805,736 --a------ c:\program files\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-02-20 14:12 . 2009-02-20 14:12 <DIR> d-------- c:\program files\Common Files\xing shared
2009-02-20 14:11 . 2009-02-20 14:11 <DIR> d-------- c:\program files\Real
2009-02-20 14:11 . 2009-02-20 14:12 <DIR> d-------- c:\program files\Common Files\Real
2009-02-20 14:06 . 2009-02-20 14:06 353,840 --a------ c:\program files\RealPlayer11GOLD.exe
2009-02-18 11:54 . 2009-02-18 11:57 6,200,817 --a------ c:\program files\EDR.zip
2009-02-03 16:10 . 2009-02-03 16:10 <DIR> d-------- c:\program files\Karen's Power Tools
2009-02-03 16:10 . 2009-02-03 16:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Karen's Power Tools
2009-02-03 16:09 . 2009-02-03 16:09 906,904 --a------ c:\program files\ptprnlog-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 11:53 --------- d-----w c:\program files\PC Tools AntiVirus
2009-02-25 07:43 5,632 --sha-w c:\program files\Thumbs.db
2009-02-23 09:32 --------- d-----w c:\documents and settings\chimco\Application Data\SolidDocuments
2009-02-23 09:31 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-23 09:27 --------- d-----w c:\program files\iolo
2009-02-21 08:10 --------- d-----w c:\program files\Common Files\Adobe
2009-02-21 07:30 --------- d-----w c:\program files\QuoteTracker
2009-02-20 08:41 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-02-20 08:41 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-01-22 07:15 205,444 ----a-w c:\program files\BrainBot_v101_DEMO.zip
2009-01-20 11:11 --------- d-----w c:\program files\NCH Software
2009-01-20 11:11 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2009-01-20 11:07 373,416 ----a-w c:\program files\invsetup.exe
2009-01-20 11:00 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-01-20 10:54 415,912 ----a-w c:\program files\eisetup.exe
2009-01-14 20:47 636,264 ------w c:\windows\system32\dllcache\iexplore.exe
2009-01-14 20:47 392,040 ------w c:\windows\system32\dllcache\iedkcs32.dll
2009-01-14 20:43 5,888,512 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-14 20:36 236,544 ------w c:\windows\system32\dllcache\webcheck.dll
2009-01-14 20:36 105,984 ------w c:\windows\system32\dllcache\url.dll
2009-01-14 20:36 1,182,720 ------w c:\windows\system32\dllcache\urlmon.dll
2009-01-14 20:35 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-14 20:35 911,872 ------w c:\windows\system32\dllcache\wininet.dll
2009-01-14 20:35 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-14 20:35 43,008 ------w c:\windows\system32\dllcache\licmgr10.dll
2009-01-14 20:35 193,536 ------w c:\windows\system32\dllcache\msrating.dll
2009-01-14 20:35 109,056 ------w c:\windows\system32\dllcache\occache.dll
2009-01-14 20:34 755,200 ------w c:\windows\system32\dllcache\VGX.dll
2009-01-14 20:34 25,600 ------w c:\windows\system32\dllcache\jsproxy.dll
2009-01-14 20:34 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-14 20:34 18,944 ------w c:\windows\system32\dllcache\corpol.dll
2009-01-14 20:32 611,840 ------w c:\windows\system32\dllcache\mstime.dll
2009-01-14 20:31 66,560 ------w c:\windows\system32\dllcache\mshtmled.dll
2009-01-14 20:31 46,592 ------w c:\windows\system32\dllcache\pngfilt.dll
2009-01-14 20:31 348,160 ------w c:\windows\system32\dllcache\dxtmsft.dll
2009-01-14 20:31 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-14 20:31 34,304 ------w c:\windows\system32\dllcache\imgutil.dll
2009-01-14 20:31 216,064 ------w c:\windows\system32\dllcache\dxtrans.dll
2009-01-14 20:31 183,808 ------w c:\windows\system32\dllcache\iepeers.dll
2009-01-14 20:30 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-14 20:30 48,128 ------w c:\windows\system32\dllcache\mshtmler.dll
2009-01-14 20:30 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-14 20:30 45,568 ------w c:\windows\system32\dllcache\mshta.exe
2009-01-14 20:23 68,608 ------w c:\windows\system32\dllcache\hmmapi.dll
2009-01-14 20:20 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-14 20:20 156,160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-01-07 11:03 2,697,168 ----a-w c:\program files\mbam-setup.exe
2009-01-07 09:56 --------- d-----w c:\program files\Ulead Systems
2009-01-07 09:56 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-01-07 09:49 --------- d-----w c:\program files\Common Files\Ulead Systems
2009-01-03 21:11 --------- d-----w c:\program files\AVerUSB
2009-01-03 20:19 --------- d-----w c:\program files\tally546
2009-01-03 20:18 --------- d-----w c:\program files\PowerDVD XP4
2009-01-03 10:11 --------- d-----w c:\program files\WIDCOMM
2008-12-29 06:12 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-24 07:54 2,959,376 ----a-w c:\program files\dotnetfx35setup.exe
2008-12-22 11:34 737,280 ----a-w c:\windows\iun6002.exe
2008-11-21 08:10 607,640 ----a-w c:\program files\xpiinstall-6u10-fcs-bin-b92-windows-i586-09_nov_2008.exe
2008-11-18 09:29 67,167,528 ----a-w c:\program files\iTunes801Setup.exe
2008-10-07 10:02 1,308,673 ----a-w c:\program files\BseMktWatch.exe
2007-08-13 09:54 43,168 -c--a-w c:\documents and settings\chimco\Application Data\GDIPFONTCACHEV1.DAT
2004-01-15 08:34 4,228,953 ----a-w c:\program files\winamp501_full.exe
2001-06-15 16:49 1,259,960 ----a-w c:\program files\winzip80.exe
2008-06-06 13:13 324,384 --sha-w c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WHITNEY_S2P"="c:\program files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe" [2006-03-27 229376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2008-12-03 1074736]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"ExpressInventory"="c:\program files\NCH Software\ExpressInventory\expressinventory.exe" [2009-01-20 753668]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-20 185872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-11-10 507965]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.UV12"= aoxdxipl.ax
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0smrgdf c:\program files\iolo\System Mechanic 4\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-03-12 18:53 1055792 c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2007-03-09 18:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a--c--- 2007-03-12 18:54 1626160 c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\chimco\\Desktop\\KARL STORZ (E)\\pb\\PBAS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"\\\\Chimco7\\C\\Program Files\\Fomine LAN Chat\\LANChat.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"96:TCP"= 96:TCP:Express Invoice Web Server
"89:TCP"= 89:TCP:FlexiServer Web Server
"97:TCP"= 97:TCP:Express Inventory Web Server

R3 AVer;AVerTV PVR USB/EZMaker Pro USB Device;c:\windows\system32\DRIVERS\AvEZPRO.sys [2004-06-08 1017600]


--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - Browser
*Deregistered* - btwdins
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - ExpressInventoryService
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - InCDfs
*Deregistered* - InCDsrv
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - MWAgent
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NMIndexingService
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - PCTAVSvc
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - SdReadSpool
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\WebReg Officejet 5600 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-12 00:21]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {77F9D428-CC67-41FB-8EED-76D687AA8E62} = 192.168.0.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 17:23:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\MicroWorld\Agent\MWASER.EXE
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\program files\Common Files\MicroWorld\Agent\MWAGENT.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2009-02-26 17:31:17 - machine was rebooted [chimco]
ComboFix-quarantined-files.txt 2009-02-26 12:01:07
ComboFix2.txt 2009-02-26 08:42:37

Pre-Run: 3,659,013,120 bytes free
Post-Run: 3,578,804,736 bytes free

484 --- E O F --- 2007-11-02 07:35:03

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:14 PM

Posted 26 February 2009 - 07:42 AM

Hi,

Isn't there an IT support there? Because for every business, there should be an IT support present.

I don't know how many other computers are involved here, but I can take a look at them, one by one. This because, as for Combofix, you can't use the same cfscript, since every computer is different.

In anyway, this computer looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, please uninstall the PCTools Antivirus (since it appeared to be useless anyway) and * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

This should deal with the leftovers.

Once we are done with this computer, we can move on to the next computer, run Combofix there and post the log.
Extra note.. What I strongly recommend is to backup important data from every infected computer before running any tools. This because an infected computer is unstable and in some cases, running a removal tool may cause problems. This isn't because of the tools, but because of the damage the malware already caused.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 kunalthechamp

kunalthechamp
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:44 PM

Posted 27 February 2009 - 04:03 AM

Hi,
IT support has withdrawn all help and shrugged off its responsibilities as it does not wish to take any risk in any leakage of data or any other problem. The boss has given me the responsibility to clean up all computers in the network and any loss to company because of the crack will be my responsibility. I am at my wits end and only hope no one stole anything or I lose my job and life ! There are three more computers in my department which are linked on one network. Please take a look at them too after we are done with this. I have uninstalled combofix from this system (say system1) and uninstalled pctav. I forgot to tell you . Previously when I wanted to burn a cd or so it would never burn as it showed a file in a blank cd called ‘incd sever’ or the likes. Also a file called sever is still showing in my flash drive. I updated adobe reader to 9.0 and now pdfs wont open in browsers and other programs which use reader say ‘missing technologies’. Is this a virus or so ? From system1 I have done whatever you instructed and the log is as follows. I am posting a new reply for the next system(system2) Don’t worry Ill backup all data. Cant thank you enough for all your help . Also there is a running process InCDSrv.exe. This is the same file that comes up whenever I insert a blank Cd to burn.Does Avira Antivir offer full protection including malware spyware backdoor virus Trojan flash etc ? Do I need any other antivirus to constantly monitor my system ?

Log :



Avira AntiVir Personal
Report file date: Friday, February 27, 2009 13:19

Scanning for 1268513 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: MAINLAPTOP

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 03:51:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 03:26:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 08:14:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 03:28:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 07:00:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 07:44:21
ANTIVIR2.VDF : 7.1.2.55 248832 Bytes 2/20/2009 07:44:36
ANTIVIR3.VDF : 7.1.2.91 149504 Bytes 2/27/2009 07:44:56
Engineversion : 8.2.0.98
AEVDF.DLL : 8.1.1.0 106868 Bytes 2/27/2009 07:47:01
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 07:46:57
AESCN.DLL : 8.1.1.7 127347 Bytes 2/27/2009 07:46:47
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 09:28:38
AEPACK.DLL : 8.1.3.8 397684 Bytes 2/27/2009 07:46:41
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 07:46:23
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/27/2009 07:46:12
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 07:45:13
AEGEN.DLL : 8.1.1.22 336245 Bytes 2/27/2009 07:45:08
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 05:35:56
AECORE.DLL : 8.1.6.6 176501 Bytes 2/27/2009 07:44:59
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 05:35:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 04:10:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 04:58:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 07:32:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 06:56:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 03:59:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 07:57:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 12:58:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 08:19:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 07:35:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 09:18:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 09:04:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, February 27, 2009 13:19

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'hprblog.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'hpqimzone.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'expressinventory.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'Scan2pc.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SolidPdfService.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'MWAGENT.EXE' - '1' Module(s) have been scanned
Scan process 'MWASER.EXE' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'InCDsrv.exe' - '1' Module(s) have been scanned
Scan process 'expressinventory.exe' - '1' Module(s) have been scanned
Scan process 'btwdins.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Sever.exe.bak
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
[NOTE] A backup was created as '4a1d9b80.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinVBqu1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] A backup was created as '4a159c5b.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\Program Files\Common Files\Microsoft Shared\MSInfo\Sever.exe
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
[NOTE] A backup was created as '4a1da084.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{57CCA793-B49A-4BB6-8789-1A4D7AAAA877}\RP79\A0018372.exe
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
[NOTE] A backup was created as '49d7a3a7.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\WINDOWS\system32\drivers\cpvflvxg.dat
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] A backup was created as '4a1da7f4.qua' ( QUARANTINE )
[NOTE] The file was deleted!
Begin scan in 'D:\'
D:\pagefile.sys
[WARNING] The file could not be opened!
D:\Sever.exe.bak.exe
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
[NOTE] A backup was created as '4a1da83b.qua' ( QUARANTINE )
[NOTE] The file was deleted!
D:\System Volume Information\_restore{57CCA793-B49A-4BB6-8789-1A4D7AAAA877}\RP79\A0018373.exe
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
[NOTE] A backup was created as '49d7a809.qua' ( QUARANTINE )
[NOTE] The file was deleted!


End of the scan: Friday, February 27, 2009 14:24
Used time: 1:04:59 Hour(s)

The scan has been done completely.

5762 Scanning directories
328500 Files were scanned
6 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
7 files were deleted
0 files were repaired
7 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
328491 Files not concerned
8322 Archives were scanned
2 Warnings
7 Notes

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 kunalthechamp

kunalthechamp
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:44 PM

Posted 27 February 2009 - 04:11 AM

system2 combofix log:

ComboFix 09-02-25.02 - USER 2009-02-26 17:46:14.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.209 [GMT 5.5:30]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
AV: PC Tools AntiVirus 3.1.2.0 *On-access scanning enabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-26 13:25 . 2009-02-26 13:25 <DIR> d-------- c:\windows\system32\DRVSTORE
2009-02-26 13:20 . 2009-02-26 13:20 <DIR> d-------- c:\program files\Lavasoft
2009-02-26 13:20 . 2009-02-26 13:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-26 12:51 . 2009-02-26 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-26 12:51 . 2009-02-26 12:51 <DIR> d-------- c:\documents and settings\USER\Application Data\PC Tools
2009-02-26 12:51 . 2009-02-26 12:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 12:50 . 2009-02-26 12:50 <DIR> d-------- c:\program files\PC Tools AntiVirus
2009-02-26 12:50 . 2009-02-26 12:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-02-26 12:50 . 2007-02-21 13:27 22,528 --a------ c:\windows\system32\drivers\AVHook.sys
2009-02-26 12:50 . 2007-02-21 13:27 15,872 --a------ c:\windows\system32\drivers\AVRec.sys
2009-02-26 12:50 . 2007-04-12 15:08 15,872 --a------ c:\windows\system32\drivers\AVFilter.sys
2009-02-25 16:22 . 2009-02-25 16:22 26 --a------ c:\windows\Zone.Identifier
2009-02-24 11:18 . 2009-02-24 11:18 <DIR> d--hs---- c:\documents and settings\USER\IECompatCache
2009-02-21 16:01 . 2009-02-21 16:01 <DIR> d--hs---- c:\documents and settings\USER\PrivacIE
2009-02-21 16:01 . 2009-02-21 16:01 <DIR> d--hs---- c:\documents and settings\USER\IETldCache
2009-02-21 15:52 . 2009-02-21 15:52 <DIR> d--h----- c:\windows\ie8
2009-02-21 15:51 . 2009-02-21 15:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-02-20 17:19 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-20 17:07 . 2009-02-20 17:07 <DIR> d-------- c:\windows\system32\scripting
2009-02-20 17:04 . 2009-02-20 17:04 <DIR> d-------- c:\windows\ServicePackFiles
2009-02-20 17:03 . 2008-04-14 05:42 294,912 --------- c:\windows\system32\dllcache\dlimport.exe
2009-02-20 16:59 . 2006-12-29 00:31 19,569 --a------ c:\windows\002783_.tmp
2009-02-20 16:58 . 2008-10-13 13:55 26,144 --a------ c:\windows\system32\spupdsvc.exe
2009-02-13 10:51 . 2009-02-13 10:51 <DIR> d-------- c:\documents and settings\USER\temp
2009-02-13 10:51 . 2009-02-13 10:51 <DIR> d-------- c:\documents and settings\USER\Application Data\TeamViewer
2009-02-03 16:25 . 2009-02-03 16:25 <DIR> d-------- c:\program files\Karen's Power Tools
2009-02-03 16:25 . 2009-02-03 16:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Karen's Power Tools
2009-01-30 14:55 . 2009-01-30 14:58 1,851,544 --a------ c:\program files\install_flash_player.exe
2009-01-29 17:04 . 2009-01-29 17:04 <DIR> d-------- c:\windows\Sun
2009-01-29 17:04 . 2009-02-26 14:49 1,744 --a------ c:\windows\system32\d3d9caps.dat
2009-01-29 17:03 . 2009-01-29 17:03 <DIR> d-------- c:\program files\Java
2009-01-29 17:03 . 2009-01-29 17:03 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-29 17:03 . 2009-01-29 17:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-29 16:45 . 2009-01-29 16:46 607,640 --a------ c:\program files\xpiinstall-6u11-fcs-bin-b90-windows-i586-25_nov_2008.exe
2009-01-29 16:31 . 2009-01-29 16:31 0 --a------ c:\windows\nsreg.dat
2009-01-29 16:30 . 2009-01-29 16:30 7,518,240 --a------ c:\program files\Firefox Setup 3.0.5.exe
2009-01-29 15:05 . 2009-01-29 15:05 <DIR> d-------- c:\documents and settings\USER\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 10:00 --------- d-----w c:\program files\Fomine LAN Chat
2009-01-19 09:44 --------- d-----w c:\documents and settings\USER\Application Data\SmarThru4
2009-01-19 09:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-19 09:42 --------- d-----w c:\program files\SmarThru 4
2009-01-19 09:42 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-19 09:39 --------- d-----w c:\program files\Samsung
2009-01-19 09:33 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-19 09:33 --------- d-----w c:\program files\Symantec
2009-01-19 09:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-19 09:33 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-19 09:27 --------- d-----w c:\program files\Microsoft.NET
2009-01-19 09:27 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-19 09:27 --------- d-----w c:\program files\Common Files\L&H
2009-01-19 09:26 --------- d-----w c:\program files\Microsoft Works
2009-01-19 09:12 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-19 09:05 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2009-01-19 08:56 --------- d-----w c:\program files\Common Files\Adobe
2009-01-19 08:36 --------- d-----w c:\program files\microsoft frontpage
2009-01-14 20:47 636,264 ------w c:\windows\system32\dllcache\iexplore.exe
2009-01-14 20:47 392,040 ------w c:\windows\system32\dllcache\iedkcs32.dll
2009-01-14 20:43 5,888,512 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-14 20:36 236,544 ------w c:\windows\system32\dllcache\webcheck.dll
2009-01-14 20:36 105,984 ------w c:\windows\system32\dllcache\url.dll
2009-01-14 20:36 1,182,720 ------w c:\windows\system32\dllcache\urlmon.dll
2009-01-14 20:35 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-14 20:35 911,872 ------w c:\windows\system32\dllcache\wininet.dll
2009-01-14 20:35 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-14 20:35 43,008 ------w c:\windows\system32\dllcache\licmgr10.dll
2009-01-14 20:35 193,536 ------w c:\windows\system32\dllcache\msrating.dll
2009-01-14 20:35 109,056 ------w c:\windows\system32\dllcache\occache.dll
2009-01-14 20:34 755,200 ------w c:\windows\system32\dllcache\VGX.dll
2009-01-14 20:34 25,600 ------w c:\windows\system32\dllcache\jsproxy.dll
2009-01-14 20:34 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-14 20:34 18,944 ------w c:\windows\system32\dllcache\corpol.dll
2009-01-14 20:32 611,840 ------w c:\windows\system32\dllcache\mstime.dll
2009-01-14 20:31 66,560 ------w c:\windows\system32\dllcache\mshtmled.dll
2009-01-14 20:31 46,592 ------w c:\windows\system32\dllcache\pngfilt.dll
2009-01-14 20:31 348,160 ------w c:\windows\system32\dllcache\dxtmsft.dll
2009-01-14 20:31 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-14 20:31 34,304 ------w c:\windows\system32\dllcache\imgutil.dll
2009-01-14 20:31 216,064 ------w c:\windows\system32\dllcache\dxtrans.dll
2009-01-14 20:31 183,808 ------w c:\windows\system32\dllcache\iepeers.dll
2009-01-14 20:30 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-14 20:30 48,128 ------w c:\windows\system32\dllcache\mshtmler.dll
2009-01-14 20:30 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-14 20:30 45,568 ------w c:\windows\system32\dllcache\mshta.exe
2009-01-14 20:23 68,608 ------w c:\windows\system32\dllcache\hmmapi.dll
2009-01-14 20:20 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-14 20:20 156,160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-01-07 11:03 2,697,168 ----a-w c:\program files\mbam-setup.exe
2008-11-01 11:22 278,310 ----a-w c:\program files\lanchat13.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WHITNEY_S2P"="c:\program files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe" [2006-03-27 229376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-29 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-02-26 1074736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LAN Chat.lnk - c:\program files\Fomine LAN Chat\LANChat.exe [2008-02-25 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Fomine LAN Chat\\LANChat.exe"=
"\\\\ACCOUNT\\C\\KARL STORZ CATALOGUE\\pb\\PBAS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pimpmysearch.com/home.html?gname=CHIMCO
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\3b7cqe2x.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 17:47:40
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-26 17:48:48
ComboFix-quarantined-files.txt 2009-02-26 12:18:48

Pre-Run: 8,045,953,024 bytes free
Post-Run: 8,198,373,376 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

164

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 kunalthechamp

kunalthechamp
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:44 PM

Posted 27 February 2009 - 05:04 AM

system3 combofix log:

ComboFix 09-02-26.02 - USER 2009-02-27 15:27:49.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.287 [GMT 5.5:30]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\docume~1\USER\LOCALS~1\Temp\init.exe
c:\documents and settings\USER\USER.exe
c:\program files\Microsoft Common
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\services.exe
c:\windows\IE4 Error Log.txt
c:\windows\index.html
c:\windows\system32\digeste.dll
c:\windows\system32\dll.dll
c:\windows\system32\drivers\109.exe
c:\windows\system32\drivers\15.exe
c:\windows\system32\drivers\156.exe
c:\windows\system32\drivers\171.exe
c:\windows\system32\drivers\187.exe
c:\windows\system32\drivers\203.exe
c:\windows\system32\drivers\218.exe
c:\windows\system32\drivers\234.exe
c:\windows\system32\drivers\296.exe
c:\windows\system32\drivers\312.exe
c:\windows\system32\drivers\359.exe
c:\windows\system32\drivers\390.exe
c:\windows\system32\drivers\406.exe
c:\windows\system32\drivers\421.exe
c:\windows\system32\drivers\437.exe
c:\windows\system32\drivers\468.exe
c:\windows\system32\drivers\484.exe
c:\windows\system32\drivers\500.exe
c:\windows\system32\drivers\515.exe
c:\windows\system32\drivers\531.exe
c:\windows\system32\drivers\562.exe
c:\windows\system32\drivers\609.exe
c:\windows\system32\drivers\62.exe
c:\windows\system32\drivers\625.exe
c:\windows\system32\drivers\687.exe
c:\windows\system32\drivers\703.exe
c:\windows\system32\drivers\718.exe
c:\windows\system32\drivers\734.exe
c:\windows\system32\drivers\750.exe
c:\windows\system32\drivers\765.exe
c:\windows\system32\drivers\812.exe
c:\windows\system32\drivers\843.exe
c:\windows\system32\drivers\859.exe
c:\windows\system32\drivers\875.exe
c:\windows\system32\drivers\906.exe
c:\windows\system32\drivers\921.exe
c:\windows\system32\drivers\93.exe
c:\windows\system32\drivers\937.exe
c:\windows\system32\drivers\968.exe
c:\windows\system32\drivers\984.exe
c:\windows\system32\icqmlib.exe
c:\windows\system32\iepref32.dll
c:\windows\system32\ierplc.dll
c:\windows\system32\ips.dll
c:\windows\system32\KernelDrv.exe
c:\windows\system32\ksvcl.dll
c:\windows\system32\lanmandrv.sys
c:\windows\system32\lanmanwrk.exe
c:\windows\system32\laprxy.dllexe
c:\windows\system32\mmmqbnqb.dll
c:\windows\system32\ocxapi.dll
c:\windows\system32\ocxloader.exe
c:\windows\system32\qmopt.dll
c:\windows\system32\shell31.dll
c:\windows\system32\wincreate.exe
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANDRV
-------\Service_lanmandrv


((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.

2009-02-27 15:24 . 2009-02-27 15:24 <DIR> d--hs---- C:\FOUND.032
2009-02-26 09:27 . 2009-02-26 09:27 <DIR> d--hs---- C:\FOUND.028
2009-02-25 17:17 . 2009-02-25 17:17 47,104 --a------ c:\windows\system32\mmmlvslv.dll
2009-02-25 17:15 . 2009-02-25 17:15 <DIR> d--hs---- C:\FOUND.027
2009-02-25 15:24 . 2009-02-25 15:24 47,104 --a------ c:\windows\system32\mmmdpndp.dll
2009-02-25 12:35 . 2009-02-25 12:35 47,104 --a------ c:\windows\system32\mmmizyiz.dll
2009-02-25 12:34 . 2009-02-25 12:34 <DIR> d--hs---- C:\FOUND.026
2009-02-25 11:02 . 2009-02-25 11:02 47,104 --a------ c:\windows\system32\mmmnebne.dll
2009-02-25 10:42 . 2009-02-25 10:42 47,104 --a------ c:\windows\system32\mmmzebze.dll
2009-02-25 10:29 . 2009-02-25 10:29 47,104 --a------ c:\windows\system32\mmmqqxqq.dll
2009-02-24 17:03 . 2009-02-24 17:03 47,104 --a------ c:\windows\system32\mmmgdtgd.dll
2009-02-24 14:48 . 2009-02-24 14:48 47,104 --a------ c:\windows\system32\mmmygryg.dll
2009-02-24 14:43 . 2009-02-24 14:43 <DIR> d--hs---- C:\FOUND.025
2009-02-24 10:25 . 2009-02-24 10:25 47,104 --a------ c:\windows\system32\mmmwzlwz.dll
2009-02-21 16:47 . 2009-02-21 16:47 47,104 --a------ c:\windows\system32\mmmeapea.dll
2009-02-21 16:10 . 2009-02-21 16:10 <DIR> d--hs---- c:\documents and settings\USER\PrivacIE
2009-02-21 16:10 . 2009-02-21 16:10 47,104 --a------ c:\windows\system32\mmmrjlrj.dll
2009-02-21 16:09 . 2009-02-21 16:10 <DIR> d--hs---- c:\documents and settings\USER\IETldCache
2009-02-21 15:56 . 2009-02-21 15:56 <DIR> d--h----- c:\windows\ie8
2009-02-21 15:52 . 2009-02-21 15:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-02-21 15:23 . 2008-04-14 00:15 26,368 --a------ c:\windows\system32\dllcache\usbstor.sys
2009-02-21 14:32 . 2009-02-21 14:32 47,104 --a------ c:\windows\system32\mmmnfsnf.dll
2009-02-21 14:09 . 2009-02-21 14:09 <DIR> d--hs---- C:\FOUND.024
2009-02-21 10:25 . 2009-02-21 10:25 47,104 --a------ c:\windows\system32\mmmpkgpk.dll
2009-02-20 17:18 . 2009-02-20 17:18 47,104 --a------ c:\windows\system32\mmmoenoe.dll
2009-02-20 17:06 . 2009-02-20 17:06 <DIR> d-------- c:\windows\system32\scripting
2009-02-20 17:05 . 2009-02-20 17:05 <DIR> d-------- c:\windows\ServicePackFiles
2009-02-20 17:04 . 2008-04-14 05:42 294,912 --------- c:\windows\system32\dllcache\dlimport.exe
2009-02-20 17:01 . 2008-10-13 13:55 26,144 --a------ c:\windows\system32\spupdsvc.exe
2009-02-20 17:01 . 2006-12-29 00:31 19,569 --a------ c:\windows\002908_.tmp
2009-02-20 13:54 . 2009-02-20 13:54 47,104 --a------ c:\windows\system32\mmmvbyvb.dll
2009-02-20 12:16 . 2009-02-20 12:16 <DIR> d-------- C:\ExpressInvoice-Backup-2009-02-20
2009-02-20 10:24 . 2009-02-20 10:24 47,104 --a------ c:\windows\system32\mmmgaqga.dll
2009-02-19 13:58 . 2009-02-19 13:58 47,104 --a------ c:\windows\system32\mmmnuvnu.dll
2009-02-19 13:46 . 2009-02-19 13:46 <DIR> d--hs---- C:\FOUND.023
2009-02-17 16:09 . 2009-02-17 16:09 <DIR> d--hs---- C:\FOUND.022
2009-02-17 12:05 . 2009-02-17 12:05 <DIR> d--hs---- C:\FOUND.021
2009-02-16 15:10 . 2009-02-16 15:10 47,104 --a------ c:\windows\system32\mmmcdtcd.dll
2009-02-16 13:01 . 2009-02-16 13:01 47,104 --a------ c:\windows\system32\mmmbdqbd.dll
2009-02-16 12:58 . 2009-02-16 12:58 <DIR> d--hs---- C:\FOUND.020
2009-02-16 11:11 . 2009-02-16 11:11 47,104 --a------ c:\windows\system32\mmmlzclz.dll
2009-02-16 10:34 . 2009-02-16 10:34 <DIR> d--hs---- C:\FOUND.019
2009-02-14 15:11 . 2009-02-14 15:12 47,104 --a------ c:\windows\system32\mmmqxjqx.dll
2009-02-14 12:47 . 2009-02-14 12:47 47,104 --a------ c:\windows\system32\mmmfyqfy.dll
2009-02-14 10:27 . 2009-02-14 10:27 47,104 --a------ c:\windows\system32\mmmzecze.dll
2009-02-13 16:40 . 2009-02-13 16:40 47,104 --a------ c:\windows\system32\mmmoogoo.dll
2009-02-13 10:35 . 2009-02-13 10:35 47,104 --a------ c:\windows\system32\mmmxavxa.dll
2009-02-12 13:29 . 2009-02-12 13:29 47,104 --a------ c:\windows\system32\mmmbsrbs.dll
2009-02-12 13:23 . 2009-02-12 13:23 47,104 --a------ c:\windows\system32\mmmkeqke.dll
2009-02-12 10:31 . 2009-02-12 10:31 47,104 --a------ c:\windows\system32\mmmlbulb.dll
2009-02-12 10:30 . 2009-02-12 10:30 <DIR> d--hs---- C:\FOUND.018
2009-02-12 10:28 . 2009-02-12 10:28 <DIR> d--hs---- C:\FOUND.017
2009-02-11 16:05 . 2009-02-11 16:05 47,104 --a------ c:\windows\system32\mmmtrhtr.dll
2009-02-11 15:46 . 2009-02-11 15:46 47,104 --a------ c:\windows\system32\mmmaicai.dll
2009-02-11 15:36 . 2009-02-11 15:36 47,104 --a------ c:\windows\system32\mmmtopto.dll
2009-02-11 12:07 . 2009-02-11 12:07 47,104 --a------ c:\windows\system32\mmmkupku.dll
2009-02-11 12:02 . 2009-02-11 12:02 47,104 --a------ c:\windows\system32\mmmsissi.dll
2009-02-11 10:44 . 2009-02-11 10:44 47,104 --a------ c:\windows\system32\mmmpzwpz.dll
2009-02-10 15:49 . 2009-02-10 15:49 47,104 --a------ c:\windows\system32\mmmlvjlv.dll
2009-02-10 14:42 . 2009-02-10 14:42 47,104 --a------ c:\windows\system32\mmmhcchc.dll
2009-02-10 14:40 . 2009-02-10 14:40 <DIR> d--hs---- C:\FOUND.016
2009-02-10 14:35 . 2009-02-10 14:35 47,104 --a------ c:\windows\system32\mmmkczkc.dll
2009-02-10 10:29 . 2009-02-10 10:29 47,104 --a------ c:\windows\system32\mmmasbas.dll
2009-02-10 10:28 . 2009-02-10 10:28 <DIR> d--hs---- C:\FOUND.015
2009-02-09 10:43 . 2009-02-09 10:43 <DIR> d--hs---- C:\FOUND.014
2009-02-09 10:26 . 2009-02-09 10:26 <DIR> d--hs---- C:\FOUND.013
2009-02-07 10:49 . 2002-01-01 02:45 26,444 --a------ c:\windows\system32\kcopt.dll
2009-02-06 18:02 . 2009-02-06 18:02 47,104 --a------ c:\windows\system32\mmmxuzxu.dll
2009-02-06 13:53 . 2009-02-06 13:53 47,104 --a------ c:\windows\system32\mmmpjcpj.dll
2009-02-06 13:39 . 2009-02-06 13:39 25,088 --a------ c:\documents and settings\USER\S87ekhV.exe
2009-02-06 13:39 . 2009-02-06 13:39 9,801 --a------ c:\documents and settings\USER\vdrvwin.exe
2009-02-03 10:18 . 2009-02-03 10:18 <DIR> d--hs---- C:\FOUND.012

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 11:52 --------- d-----w c:\program files\NCH Software
2009-01-20 11:51 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2009-01-14 20:47 636,264 ------w c:\windows\system32\dllcache\iexplore.exe
2009-01-14 20:47 392,040 ------w c:\windows\system32\dllcache\iedkcs32.dll
2009-01-14 20:43 5,888,512 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-14 20:36 236,544 ------w c:\windows\system32\dllcache\webcheck.dll
2009-01-14 20:36 105,984 ------w c:\windows\system32\dllcache\url.dll
2009-01-14 20:36 1,182,720 ------w c:\windows\system32\dllcache\urlmon.dll
2009-01-14 20:35 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-14 20:35 911,872 ------w c:\windows\system32\dllcache\wininet.dll
2009-01-14 20:35 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-14 20:35 43,008 ------w c:\windows\system32\dllcache\licmgr10.dll
2009-01-14 20:35 193,536 ------w c:\windows\system32\dllcache\msrating.dll
2009-01-14 20:35 109,056 ------w c:\windows\system32\dllcache\occache.dll
2009-01-14 20:34 755,200 ------w c:\windows\system32\dllcache\VGX.dll
2009-01-14 20:34 25,600 ------w c:\windows\system32\dllcache\jsproxy.dll
2009-01-14 20:34 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-14 20:34 18,944 ------w c:\windows\system32\dllcache\corpol.dll
2009-01-14 20:32 611,840 ------w c:\windows\system32\dllcache\mstime.dll
2009-01-14 20:31 66,560 ------w c:\windows\system32\dllcache\mshtmled.dll
2009-01-14 20:31 46,592 ------w c:\windows\system32\dllcache\pngfilt.dll
2009-01-14 20:31 348,160 ------w c:\windows\system32\dllcache\dxtmsft.dll
2009-01-14 20:31 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-14 20:31 34,304 ------w c:\windows\system32\dllcache\imgutil.dll
2009-01-14 20:31 216,064 ------w c:\windows\system32\dllcache\dxtrans.dll
2009-01-14 20:31 183,808 ------w c:\windows\system32\dllcache\iepeers.dll
2009-01-14 20:30 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-14 20:30 48,128 ------w c:\windows\system32\dllcache\mshtmler.dll
2009-01-14 20:30 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-14 20:30 45,568 ------w c:\windows\system32\dllcache\mshta.exe
2009-01-14 20:23 68,608 ------w c:\windows\system32\dllcache\hmmapi.dll
2009-01-14 20:20 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-14 20:20 156,160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-01-08 12:06 --------- d-----w c:\documents and settings\USER\Application Data\Ulead Systems
2009-01-08 12:04 --------- d-----w c:\program files\QuickTime
2009-01-08 12:04 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2009-01-08 12:03 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-01-08 11:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 11:52 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-08 08:12 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-06 12:26 --------- d-----w c:\documents and settings\USER\Application Data\ACD Systems
2008-12-27 05:47 79,872 ------w c:\windows\system32\drivers\qij2lkjfdfq.sys
2008-12-08 09:34 20,992 ----a-w c:\documents and settings\USER\sysfr.exe
2008-12-06 07:30 20,992 ----a-w c:\documents and settings\USER\syspdte.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2002-03-20 10752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
browsers.exe [2009-02-06 287]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\mmmaicai.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkj35.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\userinit.exe"=

S0 Winkj35;Winkj35;c:\windows\system32\Drivers\Winkj35.sys --> c:\windows\system32\Drivers\Winkj35.sys [?]
S1 dabec0d2;dabec0d2;c:\windows\system32\drivers\dabec0d2.sys --> c:\windows\system32\drivers\dabec0d2.sys [?]
S2 acpi32;acpi32;c:\windows\system32\drivers\acpi32.sys [2001-08-23 22784]
S2 amd64si;amd64si;c:\windows\system32\drivers\amd64si.sys [2001-08-23 22784]
S2 ati64si;ati64si;c:\windows\system32\drivers\ati64si.sys [2001-08-23 22784]
S2 fips32cup;fips32cup;c:\windows\system32\drivers\fips32cup.sys [2001-08-23 22784]
S2 i386si;i386si;c:\windows\system32\drivers\i386si.sys [2001-08-23 22784]
S2 ksi32sk;ksi32sk;\??\c:\windows\system32\drivers\ksi32sk.sys --> c:\windows\system32\drivers\ksi32sk.sys [?]
S2 port135sik;port135sik;c:\windows\system32\drivers\port135sik.sys [2001-08-23 22784]
S2 securentm;securentm;c:\windows\system32\drivers\securentm.sys [2001-08-23 22784]
S2 systemntmi;systemntmi;c:\windows\system32\drivers\systemntmi.sys [2001-08-23 22784]
S2 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2001-08-23 22784]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4GCR-11QF-AAD5-81CP7T635612}]
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\services.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-USER - c:\documents and settings\USER\USER.exe
HKLM-Run-KernelDrv.exe clean - c:\windows\System32\KernelDrv.exe
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pimpmysearch.com/home.html?gname=CHIMCO
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 15:28:49
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-27 15:29:36
ComboFix-quarantined-files.txt 2009-02-27 09:59:36

Pre-Run: 29,022,519,296 bytes free
Post-Run: 29,013,901,312 bytes free

276

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:14 PM

Posted 27 February 2009 - 05:20 AM

Hi,

System2 is OK.
For system 3, I recommend that you format and reinstall that one, because that's the only garantee for a computer you can trust again. It's too severly infected and from the looks, it's already infected for a long time. Too much damage already and it's too compromised already as well. Cleaning this up manually would be irresponsible since you'll never be able to trust this computer again - unless you format and reinstall.
After all, it's a computer used for business and you cannot afford this.
System3 is worse that the first log of your computer you posted.

Yes, delete the sever.exe from the flashdrive.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users