force123

Hey guys

my friend accidentally run a hidden exe file on his flash, on my computer.

the file name was sal.xls.exe. It copied itself into the drive letter E:\ (windows drive). I cannot delete it ! I'm sure I'm infected.

I run MalwareByte and it found nothing.

I run combofix, It deletes a file name ufdata2000.log in windows folder. I guess this file is related to this sal.xls.exe . But no matter how much combofix deletes it. It keeps turning back cause I can't delete the source file.

I guess I might have other viruses too !
Thanks for any help!

here's my combofix log :

ComboFix 08-10-16.08 - Alborz 2008-10-17 11:42:24.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.981.1033.18.2891 [GMT 3.5:30]
Running from: F:\Softwares\ComboFix & Friends\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\ufdata2000.log

.
((((((((((((((((((((((((( Files Created from 2008-09-17 to 2008-10-17 )))))))))))))))))))))))))))))))
.

2008-10-17 11:36 . 2008-10-17 11:36 49,152 ---hs---- E:\sal.xls.exe
2008-10-17 10:33 . 2008-10-17 10:33 49,152 --a------ E:\WINDOWS\system32\msime80.exe
2008-10-17 10:33 . 2008-10-17 10:33 49,152 --a------ E:\WINDOWS\system32\msfir80.exe
2008-10-17 10:33 . 2008-10-17 10:33 49,152 --a------ E:\WINDOWS\system32\algssl.exe
2008-10-15 19:32 . 2008-10-15 19:32 <DIR> d-------- E:\Program Files\Hewlett-Packard
2008-10-15 19:32 . 2008-10-15 19:32 <DIR> d-------- E:\Program Files\Common Files\Hewlett-Packard
2008-10-15 19:30 . 2008-10-15 19:30 <DIR> d-------- E:\Program Files\HP
2008-10-15 19:29 . 2008-10-15 19:32 100,869 --a------ E:\WINDOWS\hpgins17.dat
2008-10-15 19:29 . 2007-01-23 01:25 284 --------- E:\WINDOWS\hpgmdl17.dat
2008-10-15 08:41 . 2007-01-23 12:49 614,400 --------- E:\WINDOWS\system32\hpxpg400.dll
2008-10-15 08:41 . 2007-02-12 19:21 548,864 --------- E:\WINDOWS\system32\hpgtg400.dll
2008-10-15 08:41 . 2007-01-23 12:46 438,272 --------- E:\WINDOWS\system32\hpg400co.dll
2008-10-15 08:41 . 2007-01-23 12:50 253,952 --------- E:\WINDOWS\system32\hpscg400.dll
2008-10-14 23:53 . 2008-10-14 23:53 <DIR> d-------- E:\Program Files\Common Files\Apple
2008-10-14 23:53 . 2008-10-14 23:53 <DIR> d-------- E:\Program Files\Apple Software Update
2008-10-14 23:53 . 2008-10-14 23:53 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Apple
2008-10-14 23:53 . 2008-10-14 23:53 54,156 --ah----- E:\WINDOWS\QTFont.qfn
2008-10-14 23:53 . 2008-10-14 23:53 1,409 --a------ E:\WINDOWS\QTFont.for
2008-10-12 21:43 . 2008-10-12 21:43 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-12 21:43 . 2008-10-12 21:43 <DIR> d-------- E:\Documents and Settings\Alborz\Application Data\Malwarebytes
2008-10-12 21:43 . 2008-09-08 00:11 38,528 --a------ E:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-12 21:43 . 2008-09-08 00:11 17,200 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-10-09 04:17 . 2008-10-09 04:17 42,320 --a------ E:\WINDOWS\system32\xfcodec.dll
2008-09-27 12:46 . 2008-10-08 00:18 28 --a------ E:\WINDOWS\v2d.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-10-17 08:05 --------- d-----w E:\Documents and Settings\Alborz\Application Data\FileZilla
2008-10-17 07:08 --------- d-----w E:\Documents and Settings\Alborz\Application Data\uTorrent
2008-10-15 16:09 6,162 -csha-w E:\WINDOWS\system32\KGyGaAvL.sys
2008-10-14 08:18 --------- d-----w E:\Documents and Settings\Alborz\Application Data\MySQL
2008-10-14 08:04 --------- d-----w E:\Documents and Settings\Alborz\Application Data\Xfire
2008-10-05 12:11 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-09-12 17:54 34,308 ----a-w E:\WINDOWS\system32\Chip.dll
2008-09-12 17:43 4,096 ----a-w E:\WINDOWS\system32\Setup_ver1.1567.23.exe
2008-09-12 17:43 4,096 ----a-w E:\WINDOWS\system32\Setup_ver1.1567.22.exe
2008-09-12 17:41 4,096 ----a-w E:\WINDOWS\system32\Setup_ver1.1567.21.exe
2008-09-12 17:41 4,096 ----a-w E:\WINDOWS\system32\Setup_ver1.1567.2.exe
2008-09-10 14:04 1,503,948,100 ----a-w E:\Program Files\full_backup.rar
2008-09-08 04:53 --------- d-----w E:\Program Files\Common Files\Corel
2008-07-25 08:34 81,920 ----a-w E:\WINDOWS\system32\dpl100.dll
2008-07-25 08:34 683,520 ----a-w E:\WINDOWS\system32\divx.dll
2008-07-23 16:50 3,596,288 ----a-w E:\WINDOWS\system32\qt-dx331.dll
2007-08-09 07:55 8 --sh--r E:\WINDOWS\system32\85FC424469.sys
2008-05-27 08:27 88 --sh--r E:\WINDOWS\system32\D58D4D8297.sys
.

------- Sigcheck -------

2004-09-01 11:30 359040 7b11118b078b88f87183fe69eda43137 E:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-10-12_13.50.10.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-14 20:23:20 27,136 ----a-r E:\WINDOWS\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
- 2008-10-12 06:31:35 59,270 ----a-w E:\WINDOWS\system32\perfc009.dat
+ 2008-10-17 08:11:10 59,270 ----a-w E:\WINDOWS\system32\perfc009.dat
- 2008-10-12 06:31:35 392,970 ----a-w E:\WINDOWS\system32\perfh009.dat
+ 2008-10-17 08:11:10 392,970 ----a-w E:\WINDOWS\system32\perfh009.dat
+ 2007-01-23 09:16:48 438,272 ----a-w E:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hpg400co.dll
+ 2007-02-12 15:51:28 548,864 ----a-w E:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hpgtg400.dll
+ 2007-01-23 09:20:10 253,952 ----a-w E:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hpscg400.dll
+ 2007-01-23 09:19:20 614,400 ----a-w E:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hpxpg400.dll
+ 2004-08-03 19:28:46 15,104 ----a-w E:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\usbscan.sys
+ 2006-10-27 09:10:14 12,288 ----a-r E:\WINDOWS\Twunk_16.dll
+ 2006-10-27 09:10:14 12,288 ----a-r E:\WINDOWS\Twunk_32.dll
+ 2006-03-23 07:45:32 96,256 ----a-w E:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a 1e18e3b_8.0.50727.91_x-ww_6e85597b\ATL80.dll
+ 2006-03-23 07:44:36 479,232 ----a-w E:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.91_x-ww_0de56c07\msvcm80.dll
+ 2006-03-23 07:44:36 548,864 ----a-w E:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.91_x-ww_0de56c07\msvcp80.dll
+ 2006-03-23 07:44:36 626,688 ----a-w E:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.91_x-ww_0de56c07\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 15360]
"IECheck"="E:\WINDOWS\IECheck.exe" [2005-11-17 108544]
"MsServer"="msfir80.exe" [2008-10-17 E:\WINDOWS\system32\msfir80.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IMJPMIG8.1"="E:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-09-01 208952]
"PHIME2002ASync"="E:\WINDOWS\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-09-01 455168]
"PHIME2002A"="E:\WINDOWS\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-09-01 455168]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2008-01-08 8523776]
"RemoteControl"="f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"VirtualCloneDrive"="f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"CloneCDTray"="f:\Program Files\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"ISUSPM Startup"="E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"ISUSScheduler"="E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"NeroFilterCheck"="E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray. dll" [2008-01-08 81920]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"nwiz"="nwiz.exe" [2008-01-08 E:\WINDOWS\system32\nwiz.exe]
"FmctrlTray"="Fmctrl.EXE" [2001-11-06 E:\WINDOWS\system32\fmctrl.exe]
"IMJPMIG8.2"="msime80.exe" [2008-10-17 E:\WINDOWS\system32\msime80.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 15360]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.l3codec"= l3codecp.acm
"VIDC.XFR1"= xfcodec.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"E:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"E:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\wa\\WA.exe"=
"F:\\Program Files\\Yahoo! Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo! Messenger\\YServer.exe"=

R1 Cinemsup;Cinemsup;E:\WINDOWS\system32\drivers\Cine msup.sys [2002-07-19 6656]
R2 Apache2.2;Apache2.2;E:\Program Files\Apache2.2\bin\httpd.exe [2007-09-05 24635]
R2 MySQL5;MySQL5;E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=E:\Program Files\MySQL\MySQL Server 5.0\my.ini MySQL5 [ ]
R3 gameport;Genius SM-Live Series PCI Joystick;E:\WINDOWS\system32\DRIVERS\fmjoy.sys [2001-10-31 9728]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;E:\WINDOWS\system32\DRIVERS\SkyNET.SYS [2006-03-14 349184]
R3 wdm_fm801;Genius SM-Live Series PCI Audio (WDM);E:\WINDOWS\system32\drivers\fm801.sys [2001-08-17 320163]
S1 rxp;rxp;E:\WINDOWS\system32\drivers\rxp.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5b3e0f2a-35e3-11dd-aa6b-00d0d714a718}]
\Shell\Auto\command - sunny.exe
\Shell\AutoRun\command - E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sunny.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{660b21a9-4989-11dc-a765-00d0d714a718}]
\Shell\AutoRun\command - P:\autorun.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\Alborz\Application Data\Mozilla\Firefox\Profiles\a58asg4q.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-17 11:43:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.2 = msime80.exe???.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsServer = msfir80.exe???l

scanning hidden files ...


************************************************** ************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M ySql]
"ImagePath"="E:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M ySql]
"ImagePath"="E:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M ySQL5]
"ImagePath"="\"E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"E:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL5"
.
Completion time: 2008-10-17 11:45:28
ComboFix-quarantined-files.txt 2008-10-17 08:14:26
ComboFix2.txt 2008-10-17 07:28:06
ComboFix3.txt 2008-10-17 07:15:41
ComboFix4.txt 2008-10-12 17:48:38
ComboFix5.txt 2008-10-17 08:04:32

Pre-Run: 61,654,745,088 bytes free
Post-Run: 61,643,104,256 bytes free

178